Vulnerability: SSL Server Has SSLv2 Enabled Vulnerability

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Vulnerability: SSL Server Has SSLv2 Enabled Vulnerability

Postby meows » 08. March 2007 04:36

While checking my server for vulnerability I came across this and two other serious problems.

First is.. and what is the fix please?
Vulnerability: SSL Server Has SSLv2 Enabled Vulnerability
Qualys ID : 38139
Port : 21
Diagnosis:
The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.

There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.

These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular web-servers, mail-servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.

The following links provide more information about this vulnerability:



SSL Server Security Survey

SSL 3.0 Specification



Consequences: An attacker can exploit this vulnerability to read secure communications or maliciously modify messages.
Solution:
Disable SSLv2.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

SSLProtocol -ALL +SSLv3 +TLSv1

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:

SSLNoV2

:?:
meows
 
Posts: 44
Joined: 31. January 2007 10:28

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 67 guests