| Author |
|
flatcircle
Joined: 27 Jun 2006
Posts: 79
|
 Posted: Thu 26 Aug '10 21:10 Post subject: Disable SSLv2 Handshake |
 |
|
Hello guys,
For security reasons, I have disabled SSLv2 (only using SSLv3 & TLS1.0).
However, a security scan (https://www.ssllabs.com/ssldb/index.html) for my domain indicates that "SSL 2.0+ Upgrade Support" is still 'on'.
According to SSL Labs "SSL 2.0+ Upgrade Support" means:
| Quote: | | "...the server supports SSLv2 handshake, even though it may not support SSLv2 itself." |
Any ideas how I can disable this handshake as well?
I found another thread: http://forum.nginx.org/read.php?2,104032,104152 about the same issue.
Seems to solve this you have to enable 'fips support'.
How can I enable this on my Windows-Apache Server?
Regards |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 26 Aug '10 21:38 Post subject: |
|
|
I won't say you can't, but fips on XP/2003 is trash and doesn't work.
Steffen, JBlond and I pounded this out a month ago.
See if you can absorb anything from
http://www.apachelounge.com/viewtopic.php?t=3595
I myself need to test JBlond's post. He squeaked out the best score with the least effort. I didn't try it cause I was tired of tweaking and testing at the time and eventually forgot about it. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 26 Aug '10 22:32 Post subject: |
|
|
I can only get a 88 because of SSLv2+ unless I disable SSLv3, even with the JBlonds SSLCipherSuite string.
SSLProtocol +TLSv1 <- I get a 90
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!SSLv2:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
With the 88 I'm still PCI complient. |
|
| Back to top |
|
flatcircle
Joined: 27 Jun 2006
Posts: 79
|
| Posted: Thu 26 Aug '10 22:32 Post subject: |
|
|
Thanks for the info!
Sorry, didn't saw the post you mentioned.
May be indeed a simpler solution to just use:
SSLProtocol +TLSv1
to get rid of the message
The settings below are quite secure I think.
Is it ok to use only TLSv1? Will most (modern) browsers support this?
SSLProtocol +TLSv1
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!aNULL:!LOW |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 26 Aug '10 23:02 Post subject: |
|
|
| flatcircle wrote: | | Is it ok to use only TLSv1? Will most (modern) browsers support this? |
MSIE & Firefox do, there is 90+% of the browser market. I recently had someone on Opera connect and they related no problem to me. These are the only 3 I can say do. |
|
| Back to top |
|
flatcircle
Joined: 27 Jun 2006
Posts: 79
|
| Posted: Fri 27 Aug '10 9:14 Post subject: |
|
|
| Thank you for the info. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7442
Location: EU, Germany, Next to Hamburg
|
| Posted: Fri 27 Aug '10 10:11 Post subject: |
|
|
I have to say that I switched a bit back, because auf the higher encryption of AES 256.
| Code: |
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
|
To fips I also can say that it is crap under windows.
IRONY ON
Let's wait for OpenSSL 2 with TSLv2 and TSLv3 Support
IRONY OFF |
|
| Back to top |
|
