This was very helpful!! You saved me a lot of time.

cheers!

On Apache 2.0.x, it seems necessary to include the first line, even if the second is used... the article should perhaps make that more clear... I had read it as the second was sufficient.

"
SSLProtocol ALL -SSLv2

A more secure method to make sure you pass PCI compliance is this:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
"

Thanks,
Barry

I try to disable dovecot sslv2 as you say.

Setup the Stunnel certificate
Setup /etc/stunnel/stunnel.conf

But it doesn't work. Help me! Thank you very much!

You are a saint for providing this. Saved me uncountable HOURS. Kudos for your clarity and completeness. Brilliant! Thanks!

ProFTPD's mod_tls module does not support SSLv2; it is programmatically disabled in the code. So the TLSCipherSuite you mentioned is not strictly necessary for disabling SSLv2 support in proftpd.

I followed you clear instructions, and everything seem to be right, until i test for SSLv2
openssl s_client -connect HOSTNAME:PORT -ssl2
(I replaced HOSTNAME with my host name and port with 995)
Unfortunately i receive the certificate.

There was a small difference in my stunnel.conf:

Instead of

[pops]
accept = 995
connect = 110

I have

[pop3s]
accept = 995
connect = 110

I have no dovecot installed...

Can you point me in the right direction?
Thanks,

Michael

I am dealing with the exact XYZ auditing to disable SSLv2 and found your site, excellent!

thanks.

Eero

Here is a recipe" rel="nofollow">http://sial.org/howto/sendmail/cipherlist/#s3">recipe for sendmail's config file... Their example:
LOCAL_CONFIG
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL

Apart from disabling SSL2, the following also ensure to use strong ciphers (in lighttpd.conf or the SSL sub-config file) for FF3 / IE7 / IE8:

ssl.use-sslv2 = "disable"
ssl.cipher-list = "DHE-RSA-AES256-SHA;AES256-SHA;DHE-RSA-AES128-SHA;DES-CBC3-SHA"

If your clients are using IE6, use the following instead:

ssl.use-sslv2 = "disable"
ssl.cipher-list = ""DHE-RSA-AES256-SHA;AES256-SHA;DHE-RSA-AES128-SHA;EDH-RSA-DES-CBC3-SHA;AES256-SHA;AES128-SHA;DES-CBC3-SHA;DES-CBC3-MD5"

Hi,
I found this Blog very very useful. It saved my time. I am working for PCI certification for my company.

Thanks & regards

Qmail's cypher lists are in:

control/tlsserverciphers
control/tlsclientciphers

They use the same OpenSSL parameter lists as everything else, so:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-SSLv2

or

HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

etc.

I wrote a tool" rel="nofollow">http://foundeo.com/products/iis-weak-ssl-ciphers/">tool to disable SSL v2 on IIS if you don't like messing around in Regex.

You provided some good examples for other systems/products, but did not provide any command and syntax examples for stunnel v4.x.

I am running v 4.27 as a service on Windows Server 2003.

What is the proper syntax for disabling sslv2 in stunnel v4.x windows?
What chiphers should I allow? disallow? What strong chipers does stunnel 4.x support?

The built-in help file is not much help as you can see by the Examples below...

Example:
sslVersion = version
select version of SSL protocol
Allowed options: all, SSLv2, SSLv3, TLSv1

Example:
ciphers = cipherlist
Select permitted SSL ciphers
A colon delimited list of the ciphers to allow in the SSL connection. For example DES-CBC3-SHA:IDEA-CBC-MD5

for sslVersion, am I limited to only one item, or can I select sslv3 and tlsv1, and if so, how?
for ciphers, what ciphers shold I use to ensure that only strong ones are used at the server and client?

Thanks,
Tom

I really enjoy and draw a good lesson following your nice tips. It really help me make my job easier.

Thank you for the share, I am impressed..
baby furniture

Good stuff, thanks for much informative post.
custom" rel="nofollow">http://www.professay.com/">custom essay writing

One more nice script to learn. Very Glad that you shared this to us. It's some pretty great info and pretty good post. I'm sure some people will really like this information cause this have genuine information for the readers.Thank you for sharing with us.One more nice script to learn. Very Glad that you shared this to us. It's some pretty great info and pretty good post. I'm sure some people will really like this information cause this have genuine information for the readers.Thank you for sharing with us.
Ruby @ van" rel="nofollow">http://www.van-insurance-cheap.co.uk/">van insurance

Excellent Tutorial on SSLv2! this will provide the incentive and basis for my works. I wonder if I can mention the article to my office mates in debt" rel="nofollow">http://www.eurodebt.com/">debt solutions. Thanks!

Great stuff here. The information and the detail were just perfect. I think that your perspective is deep, its just well thought out and really fantastic to see someone who knows how to put these thoughts down so well. Great job on this.
how" rel="nofollow">http://www.business-opportunities-mentor.co.uk/">how to make money online

Thanks for this tutorial mate. Well, this is my first visit to this site! But I admire the precious time and effort you put into it, especially into this tutorial on SSLv2 you share here!

I enjoyed reading your tranformations. I see you offer priceless info. Stumbled into this website by chance but I’m sure glad I clicked on that link.

Valuable information and excellent tutorial on SSLv2 you got here! I would like to thank you for sharing your thoughts and time into the stuff you post!! Thumbs up!

great inspiring tutorial article. I am pretty much pleased with your good work. You put really very helpful information. Keep it up. Looking forward to your next post.