First is.. and what is the fix please?
Vulnerability: SSL Server Has SSLv2 Enabled Vulnerability
Qualys ID : 38139
Port : 21
Diagnosis:
The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.
These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular web-servers, mail-servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.
The following links provide more information about this vulnerability:
SSL Server Security Survey
SSL 3.0 Specification
Consequences: An attacker can exploit this vulnerability to read secure communications or maliciously modify messages.
Solution:
Disable SSLv2.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
SSLNoV2
