- Blog
- Howtos
- anything generator
- apache
- asterisk
- autofs
- autoload
- automount
- backup db
- callcentric
- centos
- chumby
- cipher list
- cookies
- ctags
- dns
- dovecot
- glue fleece
- hacking
- httpd
- IE
- iFrame
- ip
- ispconfig
- javascript
- lighttpd
- linux
- media player
- move networks
- mysql
- mysqldiff
- mythtv
- Network Solutions
- openssl
- osx
- os x
- P3P Compact Policy
- php
- postfix
- proftpd
- proxy
- python
- route
- ruby
- screen scraping
- shell
- shell scripts
- slapd
- smb
- ssh
- sshfs
- SSLCertificateChainFile
- sslv2
- stunnel
- suphp
- taglist
- telnet
- trace
- verisign
- vi
- vsftpd
- Scripts
- About
Disable SSLv2 System Wide
Submitted by adam on Tue, 2008-01-29 04:08.
For anyone that has had to deal with any of the "PCI auditing" companies you know how much of a pain in the ass SSLv2 can be. But, there's a few pretty easy ways to clear it up.
1. Compile OpenSSL without SSLv2 support
Ok this one is actually a joke. I hear it's possible but really who is going to waste the time.
2. Disable it per-application
So you only got busted for having SSLv2 enabled on a certain port, eh? Here's some basics. For the rest use Option 3 or RTFM and post in the comments ;-) Once you edit the correct files, Test for SSLv2 to make sure it's gone.
apache httpd:
Add the following line to your httpd.conf:
SSLProtocol ALL -SSLv2
A more secure method to make sure you pass PCI compliance is this:
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
dovecot 1.0+ (< 1.0 keep reading)
Add this line to your dovecot.conf:
ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
IIS 5.0 & 6.0
Microsoft has two articles on this, pick your poison:
http://support.microsoft.com/kb/216482
http://support.microsoft.com/kb/187498
lighttpd
Add to lighttpd.conf:
ssl.use-sslv2 = "disable"
postfix
main.cf:
smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_mandatory_ciphers = medium, high
proftpd
proftpd.conf:
TlsCipherList HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
slapd
slapd.conf:
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
vsftpd
(This is only if you have SSL support enabled). vsftpd.conf:
ssl_sslv2=NO
Note on cipher lists:
In the above examples I used HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 but really if you just want to disable SSLv2 and leave other problematic ciphers you could use ALL:!SSLv2. Or you can come up with your own cipher list like ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM.
3. Use Stunnel
This is the penicillin of the SSL world. It will cure your problems. Use this to fix those pesky programs (except FTP) that don't allow you to edit the cipher list or worst of all, don't have SSL support.
Check if it's currently installed
(probably if you're using RHEL):
which stunnel
If it's not installed
Try to get it from the repositories:
CentOS/RHEL:
yum install stunnel
Ubuntu/Debian:
apt-get install stunnel4
Other: Compile from source. It's simple. Latest no-experimental build at time of writing was 4.20:
wget http://www.stunnel.org/download/stunnel/src/stunnel-4.20.tar.gz tar xzvf stunnel-4.20.tar.gz cd stunnel-4.20 ./configure make sudo make install
You'll also want to install the init file:
sudo cp tools/stunnel.init /etc/init.d/stunnel sudo chmod 755 /etc/init.d/stunnel sudo chown root:root /etc/init.d/stunnel
If using RHEL/CentOS:
chkconfig --add stunnel
Setup the Stunnel certificate
I set a valid period for 10 years because I don't like dealing with these things. When it asks for the FQDN enter your server address (ex: adamyoung.net):
mkdir -p /etc/stunnel cd /etc/stunnel openssl req -newkey rsa:1024 -keyout key.pem -nodes -x509 -days 3650 -out cert.pem cat key.pem > stunnel.pem cat cert.pem >> stunnel.pem rm key.pem cert.pem chmod 600 stunnel.pem
Setup /etc/stunnel/stunnel.conf
For this example I'll use dovecot because I mentioned above that dovecot < 1.0 users would need to use this option. This is going to accept SSL connections to the normal IMAPS and POPS ports, decrypt the information and then forward them to dovecot's unencrypted IMAP & POP ports.
cert = /etc/stunnel/stunnel.pem [imaps] accept = 993 connect = 143 [pops] accept = 995 connect = 110
You may also want to secure the server you send outgoing mail to. First, check to make sure something else (postfix?) doesn't have the port open with
netstat -an | grep 465
If you see a line like this:
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
Then you're already taken care of. Otherwise, add the following lines to /etc/stunnel/stunnel.conf:
[smtps] accept = 465 connect = 25
Next up, you need to tell dovecot to stop listening on the IMAPS and POPS ports. Edit the protocols line of /etc/dovecot.conf:
protocols = imap pop3
Last step! Restart dovecot and start stunnel (in RHEL/CentOS you can use the service command instead):
/etc/init.d/dovecot restart /etc/init.d/stunnel start
Testing that SSLv2 is Disabled
openssl s_client -connect HOSTNAME:PORT -ssl2
If you receive the certificate and a ton of other lines, you still have SSLv2 enabled. Otherwise, if you receive anything like these you're fine:
write:errno=54
8965:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
Its always good to learn
Its always good to learn tips like you share for blog posting. As I just started posting comments for blog and facing problem of lots of rejections. I think your suggestion would be helpful for me. I will let you know if its work for me too.
facebook farmville cheats
answer this post
Do not search for result if you want it, barely do what you love and think in, and achievement will come with our professional research papers writing service.
reply this topic
We want to thank you for a really good knowledge and as well, would like to give you the free mp ringtones from the great ringtones Internet sites.
reply this post
Thanks a lot for the best topic about this good topic. It is worth to buy custom essay papers about this post.
reply this topic
You are manifestly, a real master of writing thesis just about this good topic creating but when you want to choose the thesis writing, I would propose you to determine a perfect one.
reply this post
This is great that you complete such kind of professional theme. If that's available to order the custom research paper of the same quality, I will buy it from distinguished essay writing service.
stunnel v4.x options and syntax to disable SSLv2 nd weak chipers
You provided some good examples for other systems/products, but did not provide any command and syntax examples for stunnel v4.x.
I am running v 4.27 as a service on Windows Server 2003.
What is the proper syntax for disabling sslv2 in stunnel v4.x windows?
What chiphers should I allow? disallow? What strong chipers does stunnel 4.x support?
The built-in help file is not much help as you can see by the Examples below...
Example:
sslVersion = version
select version of SSL protocol
Allowed options: all, SSLv2, SSLv3, TLSv1
Example:
ciphers = cipherlist
Select permitted SSL ciphers
A colon delimited list of the ciphers to allow in the SSL connection. For example DES-CBC3-SHA:IDEA-CBC-MD5
for sslVersion, am I limited to only one item, or can I select sslv3 and tlsv1, and if so, how?
for ciphers, what ciphers shold I use to ensure that only strong ones are used at the server and client?
Thanks,
Tom
; Protocol version (all,
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
options = NO_SSLv2
Stunnel 4.27 PCI compliance
I am using stunnel 4.27 to provide SSL services for another application
I was able to disable sslv2, but am still not PCI compliant
Here is what I have in my stunnel.config file...
sslVersion = all
options = NO_SSLv2
ciphers = HIGH:!SSLv2:!ADH:!Exp:!aNULL:!eNULL:!NULL
The ciphers that continue to show up are weak export ciphers.
DES-CBC-MD5 (56)
DES-CBC-SHA (56)
EXP-DES-CBC-SHA (40)
EXP-RC2-CBC-MD5 (40)
EXP-RC4-MD5 (40)
I would think my ciphers = line (above) would prevent the export and other weak ciphers from being used.
Is my ciphers line correct for stunnel v4?
ciphers = HIGH:!SSLv2:!ADH:!EXP:!aNULL:!eNULL:!NULL
Is the syntax different for stunnel v4?
Is there anything else I need to add to my config file to make my stunnel PCI compliant?
Thanks,
Tom
Re
This time people buy essay writing and already written essays at the essay writing service but frequently they buy essay referring to this post. That is really the best article, thanks for this!
GUI Tool for IIS
I wrote a tool to disable SSL v2 on IIS if you don't like messing around in Regex.
Qmail
Qmail's cypher lists are in:
control/tlsserverciphers
control/tlsclientciphers
They use the same OpenSSL parameter lists as everything else, so:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-SSLv2
or
HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
etc.
Very useful
Hi,
I found this Blog very very useful. It saved my time. I am working for PCI certification for my company.
Thanks & regards
ajitdalvi96@yahoo.co.in
Lighttpd cipher list
Apart from disabling SSL2, the following also ensure to use strong ciphers (in lighttpd.conf or the SSL sub-config file) for FF3 / IE7 / IE8:
ssl.use-sslv2 = "disable"
ssl.cipher-list = "DHE-RSA-AES256-SHA;AES256-SHA;DHE-RSA-AES128-SHA;DES-CBC3-SHA"
If your clients are using IE6, use the following instead:
ssl.use-sslv2 = "disable"
ssl.cipher-list = ""DHE-RSA-AES256-SHA;AES256-SHA;DHE-RSA-AES128-SHA;EDH-RSA-DES-CBC3-SHA;AES256-SHA;AES128-SHA;DES-CBC3-SHA;DES-CBC3-MD5"
A recipe for sendmail
Here is a recipe for sendmail's config file... Their example:
LOCAL_CONFIG
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
nice site
thanks.
Eero
I am dealing with the exact
I am dealing with the exact XYZ auditing to disable SSLv2 and found your site, excellent!
SSLv2 still enabled after installing and configuring stunnel
I followed you clear instructions, and everything seem to be right, until i test for SSLv2
openssl s_client -connect HOSTNAME:PORT -ssl2
(I replaced HOSTNAME with my host name and port with 995)
Unfortunately i receive the certificate.
There was a small difference in my stunnel.conf:
Instead of
[pops]
accept = 995
connect = 110
I have
[pop3s]
accept = 995
connect = 110
I have no dovecot installed...
Can you point me in the right direction?
Thanks,
Michael
ProFTPD's mod_tls module
ProFTPD's mod_tls module does not support SSLv2; it is programmatically disabled in the code. So the TLSCipherSuite you mentioned is not strictly necessary for disabling SSLv2 support in proftpd.
Brilliant
You are a saint for providing this. Saved me uncountable HOURS. Kudos for your clarity and completeness. Brilliant! Thanks!
dovecot disable sslv2
I try to disable dovecot sslv2 as you say.
Setup the Stunnel certificate
Setup /etc/stunnel/stunnel.conf
But it doesn't work. Help me! Thank you very much!
dovecot has it's own config
dovecot has it's own config file for disabling sslv2.
re Apache
On Apache 2.0.x, it seems necessary to include the first line, even if the second is used... the article should perhaps make that more clear... I had read it as the second was sufficient.
"
SSLProtocol ALL -SSLv2
A more secure method to make sure you pass PCI compliance is this:
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
"
Thanks,
Barry
Apache 1.3
Also, neither line seems to work on Apache 1.3.
good one
cheers!
Thanks
This was very helpful!! You saved me a lot of time.