From owner-freebsd-questions@FreeBSD.ORG  Tue Nov 11 13:50:57 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6D90E10656D3
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Nov 2008 13:50:57 +0000 (UTC)
	(envelope-from jalmberg@identry.com)
Received: from mx1.identry.com (on.identry.com [66.111.0.194])
	by mx1.freebsd.org (Postfix) with ESMTP id E320D8FC44
	for <freebsd-questions@freebsd.org>;
	Tue, 11 Nov 2008 13:50:56 +0000 (UTC)
	(envelope-from jalmberg@identry.com)
Received: (qmail 67768 invoked by uid 89); 11 Nov 2008 13:50:55 -0000
Received: from unknown (HELO ?192.168.1.110?) (jalmberg@75.127.142.66)
	by mx1.identry.com with ESMTPA; 11 Nov 2008 13:50:54 -0000
Mime-Version: 1.0 (Apple Message framework v753.1)
Content-Transfer-Encoding: 7bit
Message-Id: <7F59430C-9DD9-44F1-B250-EB7109FBDF8B@identry.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
To: freebsd-questions@freebsd.org
From: John Almberg <jalmberg@identry.com>
Date: Tue, 11 Nov 2008 08:50:56 -0500
X-Mailer: Apple Mail (2.753.1)
Subject: Disallowing ssl2
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2008 13:50:57 -0000

My server got an audit for PCI compliance and was red-flagged for  
allowing SSL2 connections, which they have some problem with. They  
want the server to use SSL3 or TLS:

"Synopsis : The remote service encrypts traffic using a protocol with  
known weaknesses. Description : The remote service accepts  
connections encrypted using SSL 2.0, which reportedly suffers from  
several cryptographic flaws and has been deprecated for several  
years. An attacker may be able to exploit these issues to conduct man- 
in-the-middle attacks or decrypt communications between the affected  
service and clients. See also : http://www.schneier.com/paper-ssl.pdf  
Solution: Consult the application's documentation to disable SSL 2.0  
and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/ 
kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/ 
2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium  / CVSS Base  
Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) "

They want me to do this for https, imaps, and pop3s protocols...

Before I dig into this, I was wondering, is this even possible? Will  
anything break as a result?

-- John