From owner-freebsd-questions@FreeBSD.ORG Tue Nov 11 14:37:10 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC1C810656D2 for ; Tue, 11 Nov 2008 14:37:10 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from mail.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 712628FC2B for ; Tue, 11 Nov 2008 14:37:10 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (mail.rachie.is-a-geek.net [192.168.2.101]) by mail.rachie.is-a-geek.net (Postfix) with ESMTP id 7F1A7AFC1C7; Tue, 11 Nov 2008 05:37:09 -0900 (AKST) From: Mel To: freebsd-questions@freebsd.org Date: Tue, 11 Nov 2008 15:37:05 +0100 User-Agent: KMail/1.9.7 References: <7F59430C-9DD9-44F1-B250-EB7109FBDF8B@identry.com> In-Reply-To: <7F59430C-9DD9-44F1-B250-EB7109FBDF8B@identry.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200811111537.06537.fbsd.questions@rachie.is-a-geek.net> Cc: John Almberg Subject: Re: Disallowing ssl2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Nov 2008 14:37:10 -0000 On Tuesday 11 November 2008 14:50:56 John Almberg wrote: > My server got an audit for PCI compliance and was red-flagged for > allowing SSL2 connections, which they have some problem with. They > want the server to use SSL3 or TLS: > > "Synopsis : The remote service encrypts traffic using a protocol with > known weaknesses. Description : The remote service accepts > connections encrypted using SSL 2.0, which reportedly suffers from > several cryptographic flaws and has been deprecated for several > years. An attacker may be able to exploit these issues to conduct man- > in-the-middle attacks or decrypt communications between the affected > service and clients. See also : http://www.schneier.com/paper-ssl.pdf > Solution: Consult the application's documentation to disable SSL 2.0 > and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/ > kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/ > 2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base > Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) " > > They want me to do this for https, imaps, and pop3s protocols... > > Before I dig into this, I was wondering, is this even possible? Will > anything break as a result? Only corner cases. SSLv2 was quite short-lived. I can't remember client implementations that had SSLv2 without TLS/v3, so I looked it up: http://en.wikipedia.org/wiki/Transport_Layer_Security "The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was released in 1994 but "contained a number of security flaws which ultimately led to the design of SSL version 3.0", which was released in 1996 (Rescorla 2001)." So it would break ancient clients, think superspeed 56kB dial-up internet ancient. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.