Disable SSLv2 System Wide

For anyone that has had to deal with any of the "PCI auditing" companies you know how much of a pain in the ass SSLv2 can be. But, there's a few pretty easy ways to clear it up.

1. Compile OpenSSL without SSLv2 support

Ok this one is actually a joke. I hear it's possible but really who is going to waste the time.

2. Disable it per-application

So you only got busted for having SSLv2 enabled on a certain port, eh? Here's some basics. For the rest use Option 3 or RTFM and post in the comments ;-) Once you edit the correct files, Test for SSLv2 to make sure it's gone.

apache httpd:
Add the following line to your httpd.conf:

SSLProtocol ALL -SSLv2

A more secure method to make sure you pass PCI compliance is this:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

dovecot 1.0+ (keep reading)
Add this line to your dovecot.conf:

ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

IIS 5.0 & 6.0
Microsoft has two articles on this, pick your poison:
http://support.microsoft.com/kb/216482
http://support.microsoft.com/kb/187498

lighttpd
Add to lighttpd.conf:

ssl.use-sslv2 = "disable"

postfix
main.cf:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high

proftpd
proftpd.conf:

TlsCipherList HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

slapd
slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

vsftpd
(This is only if you have SSL support enabled). vsftpd.conf:

ssl_sslv2=NO

Note on cipher lists:
In the above examples I used HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 but really if you just want to disable SSLv2 and leave other problematic ciphers you could use ALL:!SSLv2. Or you can come up with your own cipher list like ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM.

3. Use Stunnel

This is the penicillin of the SSL world. It will cure your problems. Use this to fix those pesky programs (except FTP) that don't allow you to edit the cipher list or worst of all, don't have SSL support.

Check if it's currently installed
(probably if you're using RHEL):

which stunnel

If it's not installed
Try to get it from the repositories:
CentOS/RHEL:

yum install stunnel

Ubuntu/Debian:

apt-get install stunnel4

Other: Compile from source. It's simple. Latest no-experimental build at time of writing was 4.20:

wget http://www.stunnel.org/download/stunnel/src/stunnel-4.20.tar.gz
tar xzvf stunnel-4.20.tar.gz
cd stunnel-4.20
./configure
make
sudo make install

You'll also want to install the init file:

sudo cp tools/stunnel.init /etc/init.d/stunnel
sudo chmod 755 /etc/init.d/stunnel
sudo chown root:root /etc/init.d/stunnel

If using RHEL/CentOS:

chkconfig --add stunnel

Setup the Stunnel certificate
I set a valid period for 10 years because I don't like dealing with these things. When it asks for the FQDN enter your server address (ex: adamyoung.net):

mkdir -p /etc/stunnel
cd /etc/stunnel
openssl req -newkey rsa:1024 -keyout key.pem -nodes -x509 -days 3650 -out cert.pem
cat key.pem > stunnel.pem
cat cert.pem >> stunnel.pem
rm key.pem cert.pem
chmod 600 stunnel.pem

Setup /etc/stunnel/stunnel.conf
For this example I'll use dovecot because I mentioned above that dovecot

cert = /etc/stunnel/stunnel.pem

[imaps]
accept  = 993
connect =  143

[pops]
accept  = 995
connect =  110

You may also want to secure the server you send outgoing mail to. First, check to make sure something else (postfix?) doesn't have the port open with

netstat -an | grep 465

If you see a line like this:

tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN

Then you're already taken care of. Otherwise, add the following lines to /etc/stunnel/stunnel.conf:

[smtps]
accept  = 465
connect = 25

Next up, you need to tell dovecot to stop listening on the IMAPS and POPS ports. Edit the protocols line of /etc/dovecot.conf:

protocols = imap pop3

Last step! Restart dovecot and start stunnel (in RHEL/CentOS you can use the service command instead):

/etc/init.d/dovecot restart
/etc/init.d/stunnel start

Testing that SSLv2 is Disabled

openssl s_client -connect HOSTNAME:PORT -ssl2

If you receive the certificate and a ton of other lines, you still have SSLv2 enabled. Otherwise, if you receive anything like these you're fine:
write:errno=54
8965:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Comments

This was very helpful!! You saved me a lot of time.

cheers!

On Apache 2.0.x, it seems necessary to include the first line, even if the second is used... the article should perhaps make that more clear... I had read it as the second was sufficient.

"
SSLProtocol ALL -SSLv2

A more secure method to make sure you pass PCI compliance is this:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
"

Thanks,
Barry

Also, neither line seems to work on Apache 1.3.

would you happen to know the commands which would work on apache 1.3

I try to disable dovecot sslv2 as you say.

Setup the Stunnel certificate
Setup /etc/stunnel/stunnel.conf

But it doesn't work. Help me! Thank you very much!

dovecot has it's own config file for disabling sslv2.

You are a saint for providing this. Saved me uncountable HOURS. Kudos for your clarity and completeness. Brilliant! Thanks!

ProFTPD's mod_tls module does not support SSLv2; it is programmatically disabled in the code. So the TLSCipherSuite you mentioned is not strictly necessary for disabling SSLv2 support in proftpd.

I followed you clear instructions, and everything seem to be right, until i test for SSLv2
openssl s_client -connect HOSTNAME:PORT -ssl2
(I replaced HOSTNAME with my host name and port with 995)
Unfortunately i receive the certificate.

There was a small difference in my stunnel.conf:

Instead of

[pops]
accept = 995
connect = 110

I have

[pop3s]
accept = 995
connect = 110

I have no dovecot installed...

Can you point me in the right direction?
Thanks,

Michael

Installed stunnel, but no dovecot installed.

I also have [pop3s]

I'm specifically having problem disabling weak cyphers, SSL 2 on port 995.

Michael, did you get this right?

Adam, any help?

Cheers
Francois

<a href="http://idnyul.com/newport-beach-houses/">Newport Beach Houses</a> is a charming coastal community in Orange County, California. It's also well known as the wealthiest city in the United States. Saat ini <a href="http://psychobone.idnyul.com/">Mobil Keluarga Ideal Terbaik Indonesia</a> menjadi perhatian tidak hanya keluarga indonesia, melainkan segmen di Indonesia

I am dealing with the exact XYZ auditing to disable SSLv2 and found your site, excellent!

thanks.

Eero

Here is a <A href="http://sial.org/howto/sendmail/cipherlist/#s3">recipe for sendmail's config file</A>... Their example:
<cite>LOCAL_CONFIG
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL</cite>

Apart from disabling SSL2, the following also ensure to use strong ciphers (in lighttpd.conf or the SSL sub-config file) for FF3 / IE7 / IE8:

ssl.use-sslv2 = "disable"
ssl.cipher-list = "DHE-RSA-AES256-SHA;AES256-SHA;DHE-RSA-AES128-SHA;DES-CBC3-SHA"

If your clients are using IE6, use the following instead:

ssl.use-sslv2 = "disable"
ssl.cipher-list = ""DHE-RSA-AES256-SHA;AES256-SHA;DHE-RSA-AES128-SHA;EDH-RSA-DES-CBC3-SHA;AES256-SHA;AES128-SHA;DES-CBC3-SHA;DES-CBC3-MD5"

Hi,
I found this Blog very very useful. It saved my time. I am working for PCI certification for my company.

Thanks & regards
ajitdalvi96@yahoo.co.in

Qmail's cypher lists are in:

control/tlsserverciphers
control/tlsclientciphers

They use the same OpenSSL parameter lists as everything else, so:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-SSLv2

or

HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

etc.

I wrote a <a href="http://foundeo.com/products/iis-weak-ssl-ciphers/">tool to disable SSL v2 on IIS</a> if you don't like messing around in Regex.

i think that friv dosent have and viruses coz when i play on it dnt get any viruses <a href="http://www.cnaboard.com/">cna training</a>

You provided some good examples for other systems/products, but did not provide any command and syntax examples for stunnel v4.x.

I am running v 4.27 as a service on Windows Server 2003.

What is the proper syntax for disabling sslv2 in stunnel v4.x windows?
What chiphers should I allow? disallow? What strong chipers does stunnel 4.x support?

The built-in help file is not much help as you can see by the Examples below...

Example:
sslVersion = version
select version of SSL protocol
Allowed options: all, SSLv2, SSLv3, TLSv1

Example:
ciphers = cipherlist
Select permitted SSL ciphers
A colon delimited list of the ciphers to allow in the SSL connection. For example DES-CBC3-SHA:IDEA-CBC-MD5

for sslVersion, am I limited to only one item, or can I select sslv3 and tlsv1, and if so, how?
for ciphers, what ciphers shold I use to ensure that only strong ones are used at the server and client?

Thanks,
Tom

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
options = NO_SSLv2

I am using stunnel 4.27 to provide SSL services for another application

I was able to disable sslv2, but am still not PCI compliant

Here is what I have in my stunnel.config file...

sslVersion = all
options = NO_SSLv2
ciphers = HIGH:!SSLv2:!ADH:!Exp:!aNULL:!eNULL:!NULL

The ciphers that continue to show up are weak export ciphers.
DES-CBC-MD5 (56)
DES-CBC-SHA (56)
EXP-DES-CBC-SHA (40)
EXP-RC2-CBC-MD5 (40)
EXP-RC4-MD5 (40)

I would think my ciphers = line (above) would prevent the export and other weak ciphers from being used.

Is my ciphers line correct for stunnel v4?
ciphers = HIGH:!SSLv2:!ADH:!EXP:!aNULL:!eNULL:!NULL

Is the syntax different for stunnel v4?

Is there anything else I need to add to my config file to make my stunnel PCI compliant?

Thanks,
Tom

For stunnel4, this syntax is good:

ciphers = HIGH:!SSLv2:!ADH:!EXP:!aNULL:!eNULL:!NULL

You can verify with and without ciphers are follows:

From http://blog.stackley.net/blog1.php/2009/07/08/pci-compliance-weak-ciphers

openssl s_client -ssl2 -connect ipAddressOrHostName>:443
openssl s_client -cipher LOW -connect ipAddressOrHostName:443
openssl s_client -cipher LOW:EXP -connect ipAddressOrHostName:443

The following seems to be working for me.

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

; Disable SSLv2
options = NO_SSLv2

; List of allowed Ciphers
<strong>ciphers = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</strong>

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
TIMEOUTclose=0
options = DONT_INSERT_EMPTY_FRAGMENTS

I really enjoy and draw a good lesson following your nice tips. It really help me make my job easier.
<a href="http://usestationarybikes.com">used stationary bikes</a>

Thank you for the share, I am impressed..
<a href="http://www.tottini.com">baby furniture</a>

Me too, extremely usefull information. <a href="http://www.consultoriaretorno.com.br">Consultoria Empresarial</a>

I Agree, i will try it now. Technical information like this is very rare. Thanks for sharing. <a href="http://www.morangao.com.br/maquiagens">Maquiagens</a>.

Good stuff, thanks for much informative post.
<a href="http://www.professay.com/">custom essay writing</a>

One more nice script to learn. Very Glad that you shared this to us. It's some pretty great info and pretty good post. I'm sure some people will really like this information cause this have genuine information for the readers.Thank you for sharing with us.One more nice script to learn. Very Glad that you shared this to us. It's some pretty great info and pretty good post. I'm sure some people will really like this information cause this have genuine information for the readers.Thank you for sharing with us.
Ruby @ <a href="http://www.van-insurance-cheap.co.uk/">van insurance</a>

Mr. Coffee IDS77 Electric Coffee Grinder with Chamber Maid Cleaning System, Black Hamilton Beach 80365 Custom Grind Hands-Free Coffee Grinder, Platinum For ultimate freshness, grind your own coffee beans. These coffee grinders will make the job easier. <a href="http://coffee-appliances.com">coffe grinder</a> Online shopping for Eye Drops, Lubricants & Washes from a great selection of Health & Personal Care & more at everyday low prices.Find out which eye drops are right for dry eye, red eyes, allergies, conjunctivitis and other conditions. <a href="http://eyesearscare.info">eye drops</a> An electric toothbrush is designed to vibrate at a high speed, producing much more brush strokes per minute than manual toothbrushes. Global/English. Austria/Deutsch. Belgium/Français Belgium/Nederlands. Canada/ English Canada/Français. Denmark/Dansk. Finland/Suomeski. France/Français <a href="http://dentaloralhygiene.info">electric toothbrush</a> RadioShack.com- Buy - 5-Piece Basic Soldering Set - Everything you need for basic soldering March 29, 2005, Solder Rosin Core for 64-2802 Soldering Kit Weller D550PK Solder Gun Kit has a professional heavy-duty dual heat gun plus an assortment of accessories in a molded plastic storage case. <a href="http://solderingsupplies.info">soldering kit</a> Why to exfoliate the face? Regular face exfoliation is the best way to keep your skin clear and healthy looking. Exfoliating is skin treatments where the Get free info on natural exfoliator for skin care and facial exfoliator. Get tips on using natural facial exfoliator and about homemade face exfoliator. <a href="http://skincarecosmetics.info">face exfoliator</a>

simply spectacular and I imagine that you are an expert in this field. Well, with your permission, I can grab the RSS feed to keep up with incoming mail. A million thanks and please keep up the great work.<a href="http://forkliftcertification.org/forklift-schools/">best forklift schools</a>

Excellent Tutorial on SSLv2! this will provide the incentive and basis for my works. I wonder if I can mention the article to my office mates in <a href="http://www.eurodebt.com/">debt solutions</a>. Thanks!

Great stuff here. The information and the detail were just perfect. I think that your perspective is deep, its just well thought out and really fantastic to see someone who knows how to put these thoughts down so well. Great job on this.
<a href="http://www.business-opportunities-mentor.co.uk/">how to make money online</a>

Thanks for this tutorial mate. Well, this is my first visit to this site! But I admire the precious time and effort you put into it, especially into this tutorial on SSLv2 you share here!
<a href="http://beginnersspanishonline.com/rocket-spanish-review-is-the-hype-just... spanish review</a>

I enjoyed reading your tranformations. I see you offer priceless info. Stumbled into this website by chance but I’m sure glad I clicked on that link.
<a href="http://www.howtofightsecrets.com/">how to fight</a>

Valuable information and excellent tutorial on SSLv2 you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up!
<a href="http://internetmarketingstrategies.co/">internet marketing strategies</a>

great inspiring tutorial article. I am pretty much pleased with your good work. You put really very helpful information. Keep it up. Looking forward to your next post.
<a href="http://www.youtube.com/watch?v=_h-oLSgGZ5Q">how to punch</a>

The clarity of this message is simply spectacular and I imagine that you are an expert in this field. Well, with your permission, I can grab the RSS feed to keep up with incoming mail. A million thanks and please keep up the great work.
<a href="http://puppypottytrainingtips.org/">puppy potty training</a>

Good post. This is a very nice blog that I will definitively come back to more times this year! Thanks for informative post. I am sure this post has helped me save many hours of browsing other similar posts just to find what I was looking for. Many thanks! <a href="http://howtomakeatutu.net/">how to make a tutu</a>

Hi- I appreciate your good job there.I think it is great news for all. Thanks for your kind sharing and keep it on action in the future.
Regards,
<a href="http://townplannersbrisbane.com/">town planning brisbane</a>

Its well worth to read.I found it very informative as I have been researching a lot lately on practical matters.I must admit that Russia is a strong extremely country I have known.
<a href="http://placementargent.org/placement-immobilier/">fond de placement immobilier</a>

We're running a website on a IIS6.0 / Windows2003 SP1 server, with a Thawte
web server certificate installed to enable HTTPS access. Now we want to force
client connections use SSL v3 or SLT 1.0 or SLT 1.1 or better, so we decided
to stop supporting SSL v2 on this server. But we wonder what we have to do to
achive this?

Many thanks in advance!

<a href="http://longtermpaydayloans.info/">long term payday loans</a>

Thank you for posting such a useful website. Your weblog happens to be not just informative but also very stimulating too. There are a limited number of people who are capable of write technical articles that creatively. <a href="http://nuvenuschovendus.ind.br/" rel="follow">nuvenus chovendus</a>

It's a great niche for posting a comments as well , i need it from longtime..
<a href="http://venetianhotellasvegas.us/venetian-hotel-rates">venetian suite</a>

Hello, I am having hard time configuring my apache server with SSL. It always tells me that I don't have permission to view the page. Can anybody help me solve this problem.

Thanks,
AutumnAnderson
<a href="http://cashadvancedirectlender.info/">cash advance direct lender</a>

Hello!
Trying to disable SSLv2 in Leopard server. (Found in the response to 10.4 and proven system wide) I do not see any documentation on security, file server, OD, or anything else I found. Can anyone help me with this?
Thanks.
Alex
<a href="http://www.ableaudio.com/baton-rouge.html">Audio Speaker Rental Baton Rouge</a>

It is quite complicated to follow
<a href="http://mymemphisrealestateagent.com/memphis-lease-to-own-homes/">Memphis lease to own homes </a>

Great post! I'm just starting out in community management/marketing media and trying to learn how to do it well - resources like this article are incredibly helpful. As our company is based in the US, it's all a bit new to us.
<a href="http://www.drjsalomon.com/breast-augmentation-miami.asp" >breast augmentation miami</a>

Pages