CA BD NY

  •  Subscribe in a reader

    Add to Google Reader or Homepage

  • Categories

  • Recent Posts

  • RSS MySQL Hacker

  • RSS CentOS Hacker

  • RSS Editor's Lists

    • An error has occurred; the feed is probably down. Try again later.

  • Meta

  •  Subscribe in a reader

    Add to Google Reader or Homepage

    • Disabling Weak SSL v2 Support in Apache Server

    Published December 4th, 2008

    Problem Statement

    By default, Apache 2.x with SSL enabled uses SSL v2, which was introduced by  Netscape Communications Corporation with the launch of Netscape Navigator 1.0 in 1994 and it contains several well-known weaknesses. For example, SSLv2 doesn’t provide any protection against man-in-the-middle attacks during the handshake, and uses the same cryptographic keys for message authentication and for encryption. If you use any third-party scanner service such as McAfee, ScanAlert, etc. you will get a high-level vulnerability flag for SSL v2. Here we will show you how to upgrade Apache’s SSL support.

    Where is SSL Support Going for Popular Web browsers

    By default, Internet Explorer 7 (IE7) disables SSLv2 support and enables the stronger TLSv1 instead.
    IE7 will only negotiate HTTPS connections using SSLv3 or TLSv1. Mozilla Firefox is expected to drop support for SSLv2 in its future versions.  Since nearly all Web browsers now support SSLv3, disabling support for the weaker SSL method should have minimal impact. The following browsers support SSLv3:

    • Internet Explorer 5.5 or higher (PC)
    • Internet Explorer 5.0 or higher (Mac)
    • Netscape 2.0 (Domestic) or higher (PC/Mac)
    • Firefox 0.8 or higher (PC/Mac/Linux)
    • Mozilla 1.7 or higher (PC/Mac/Linux)
    • Camino 0.8 or higher (Mac)
    • Safari 1.0 or higher (Mac)
    • Opera 1.7 or higher (PC/Mac)
    • Omniweb 3.0 or higher (Mac)
    • Konqueror 2.0 or higher (Linux)

    According to https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf, an Assessor’s update report, “…it is imperative that an ASV identify the use of SSL 2.0 to transmit cardholder data as a failure.”

    Updating Apache Configuration for SSL

    For Apache Server, you need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file. Here is the configuration you need to add or edit in these files:

    SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

    Once added/edited, restart Apache and confirm that your SSL-enabled site is still working as expected.

    Category: SSL, Security | Tags:

    Running Web Sites Under Multiple User Accounts with mod_itk Using Awk to do Quick and Dirty Analysis of Apache Logs

    Get a Trackback link

    No Comments Yet

    Be the first to comment!

    Leave a comment

    Comment Policy: First time comments are moderated. Please be patient.

    You must be logged in to post a comment.