Disallowing ssl2
John Almberg
jalmberg at identry.com
Tue Nov 11 05:50:57 PST 2008
My server got an audit for PCI compliance and was red-flagged for
allowing SSL2 connections, which they have some problem with. They
want the server to use SSL3 or TLS:
"Synopsis : The remote service encrypts traffic using a protocol with
known weaknesses. Description : The remote service accepts
connections encrypted using SSL 2.0, which reportedly suffers from
several cryptographic flaws and has been deprecated for several
years. An attacker may be able to exploit these issues to conduct man-
in-the-middle attacks or decrypt communications between the affected
service and clients. See also : http://www.schneier.com/paper-ssl.pdf
Solution: Consult the application's documentation to disable SSL 2.0
and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/
kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/
2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base
Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) "
They want me to do this for https, imaps, and pop3s protocols...
Before I dig into this, I was wondering, is this even possible? Will
anything break as a result?
-- John
More information about the freebsd-questions
mailing list