logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Disable SSLv2 Handshake
Author
flatcircle



Joined: 27 Jun 2006
Posts: 79

PostPosted: Thu 26 Aug '10 21:10    Post subject: Disable SSLv2 Handshake Reply with quote

Hello guys,

For security reasons, I have disabled SSLv2 (only using SSLv3 & TLS1.0).
However, a security scan (https://www.ssllabs.com/ssldb/index.html) for my domain indicates that "SSL 2.0+ Upgrade Support" is still 'on'.

According to SSL Labs "SSL 2.0+ Upgrade Support" means:
Quote:
"...the server supports SSLv2 handshake, even though it may not support SSLv2 itself."


Any ideas how I can disable this handshake as well?

I found another thread: http://forum.nginx.org/read.php?2,104032,104152 about the same issue.

Seems to solve this you have to enable 'fips support'.
How can I enable this on my Windows-Apache Server?

Regards
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 26 Aug '10 21:38    Post subject: Reply with quote

I won't say you can't, but fips on XP/2003 is trash and doesn't work.

Steffen, JBlond and I pounded this out a month ago.
See if you can absorb anything from
http://www.apachelounge.com/viewtopic.php?t=3595

I myself need to test JBlond's post. He squeaked out the best score with the least effort. I didn't try it cause I was tired of tweaking and testing at the time and eventually forgot about it.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 26 Aug '10 22:32    Post subject: Reply with quote

I can only get a 88 because of SSLv2+ unless I disable SSLv3, even with the JBlonds SSLCipherSuite string.

SSLProtocol +TLSv1 <- I get a 90
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!SSLv2:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

With the 88 I'm still PCI complient.
Back to top
flatcircle



Joined: 27 Jun 2006
Posts: 79

PostPosted: Thu 26 Aug '10 22:32    Post subject: Reply with quote

Thanks for the info!
Sorry, didn't saw the post you mentioned.

May be indeed a simpler solution to just use:
SSLProtocol +TLSv1
to get rid of the message

The settings below are quite secure I think.
Is it ok to use only TLSv1? Will most (modern) browsers support this?

SSLProtocol +TLSv1
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!aNULL:!LOW
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 26 Aug '10 23:02    Post subject: Reply with quote

flatcircle wrote:
Is it ok to use only TLSv1? Will most (modern) browsers support this?


MSIE & Firefox do, there is 90+% of the browser market. I recently had someone on Opera connect and they related no problem to me. These are the only 3 I can say do.
Back to top
flatcircle



Joined: 27 Jun 2006
Posts: 79

PostPosted: Fri 27 Aug '10 9:14    Post subject: Reply with quote

Thank you for the info.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 27 Aug '10 10:11    Post subject: Reply with quote

I have to say that I switched a bit back, because auf the higher encryption of AES 256.

Code:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


To fips I also can say that it is crap under windows.

IRONY ON
Let's wait for OpenSSL 2 with TSLv2 and TSLv3 Support
IRONY OFF
Back to top


Reply to topic   Topic: Disable SSLv2 Handshake View previous topic :: View next topic
Post new topic   Forum Index -> Apache