Disable SSLv2 and enable SSLv3 or TLSv1
SSL 2.0, reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. To disable SSLv2 follow these steps.
After performing vulnerability scan using nessus if you find details about SSLv2 weaknesses in that report then please find the options required to disable SSLv2 as mentioned below.
In /etc/httpd/conf.d/ssl.conf change following options
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
After changing options try this command from command prompt and make sure you get error
- #openssl s_client –ssl2 –connect virtualhost:443
then try this command
- #openssl s_client –ssl3 –connect virtualhost:443
OR
- #openssl s_client –tls1 –connect virtualhost:443
This is to make sure that your sites with ssl are working correctly with SSLv3 or TLSv1.
In order to perform these changes you need to login to server and become super user.
Note: Depending on server configuration ssl.conf file will be different. Default directory to hold apache / httpd configuration in most of gnu/linux is /etc/httpd/
Does your server support SSLv2?
How to test:
You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:
# openssl s_client -ssl2 -connect SERVERNAME:443
If the server does not support SSLv2 you should receive an error similar to the following:
# openssl s_client -ssl2 -connect SERVERNAME:443
CONNECTED(00000003)
458:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
How to configure Apache v2 to not accept SSLv2 connections:
You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.
An example would be editing the following lines to look similar to:
SSLProtocol -ALL +SSLv3 +TLSv1
Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.
How to configure Microsoft IIS to not accept SSLv2 connections:
You will need to modify the system’s registry.
Merge the following keys to the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.
Those Pesky Weak SSL Ciphers
Does your server support weak SSL ciphers?
How to test:
You will need to have OpenSSL installed on the system that you will perform the tests from. Once installed, use the following command to test your web server, assuming port 443 is where you're providing https connections:
# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP
If the server does not support weak ciphers you should receive an error similar to the following:
# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP
CONNECTED(00000003)
461:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:
How to configure Apache v2 to not accept weak SSL ciphers:
You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.
An example would be editing the following lines to look similar to:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted.
How to configure Microsoft IIS to not accept weak SSL ciphers:
You will need to modify the system’s registry.
Merge the following keys to the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:0000000
Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted..
At this point have your Approved Scanning Vendor (ASV) scan your external facing PCI environment to validate. Making the above changes should cause the ASV scans to nottag and fail you on the following vulnerabilities:
- SSL Server Supports Weak Encryption
- SSL Server Allows Cleartext Encryption
- SSL Server May Be Forced to Use Weak Encryption
- SSL Server Allows Anonymous Authentication
REFERENCES