For anyone that has had to deal with any of the "PCI auditing" companies you know how much of a pain in the ass SSLv2 can be. But, there's a few pretty easy ways to clear it up.
Ok this one is actually a joke. I hear it's possible but really who is going to waste the time.
So you only got busted for having SSLv2 enabled on a certain port, eh? Here's some basics. For the rest use Option 3 or RTFM and post in the comments ;-) Once you edit the correct files, Test for SSLv2 to make sure it's gone.
Add the following line to your httpd.conf:
SSLProtocol ALL -SSLv2
A more secure method to make sure you pass PCI compliance is this:
dovecot 1.0+ (keep reading)
Add this line to your dovecot.conf:
ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Add to lighttpd.conf:
ssl.use-sslv2 = "disable"
smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_mandatory_ciphers = medium, high
(This is only if you have SSL support enabled). vsftpd.conf:
Note on cipher lists:
In the above examples I used HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 but really if you just want to disable SSLv2 and leave other problematic ciphers you could use ALL:!SSLv2. Or you can come up with your own cipher list like ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM.
This is the penicillin of the SSL world. It will cure your problems. Use this to fix those pesky programs (except FTP) that don't allow you to edit the cipher list or worst of all, don't have SSL support.
Check if it's currently installed
(probably if you're using RHEL):
If it's not installed
Try to get it from the repositories:
yum install stunnel
apt-get install stunnel4
Other: Compile from source. It's simple. Latest no-experimental build at time of writing was 4.20:
wget http://www.stunnel.org/download/stunnel/src/stunnel-4.20.tar.gz tar xzvf stunnel-4.20.tar.gz cd stunnel-4.20 ./configure make sudo make install
You'll also want to install the init file:
sudo cp tools/stunnel.init /etc/init.d/stunnel sudo chmod 755 /etc/init.d/stunnel sudo chown root:root /etc/init.d/stunnel
If using RHEL/CentOS:
chkconfig --add stunnel
Setup the Stunnel certificate
I set a valid period for 10 years because I don't like dealing with these things. When it asks for the FQDN enter your server address (ex: adamyoung.net):
mkdir -p /etc/stunnel cd /etc/stunnel openssl req -newkey rsa:1024 -keyout key.pem -nodes -x509 -days 3650 -out cert.pem cat key.pem > stunnel.pem cat cert.pem >> stunnel.pem rm key.pem cert.pem chmod 600 stunnel.pem
For this example I'll use dovecot because I mentioned above that dovecot
cert = /etc/stunnel/stunnel.pem [imaps] accept = 993 connect = 143 [pops] accept = 995 connect = 110
You may also want to secure the server you send outgoing mail to. First, check to make sure something else (postfix?) doesn't have the port open with
netstat -an | grep 465
If you see a line like this:
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN
Then you're already taken care of. Otherwise, add the following lines to /etc/stunnel/stunnel.conf:
[smtps] accept = 465 connect = 25
Next up, you need to tell dovecot to stop listening on the IMAPS and POPS ports. Edit the protocols line of /etc/dovecot.conf:
protocols = imap pop3
Last step! Restart dovecot and start stunnel (in RHEL/CentOS you can use the service command instead):
/etc/init.d/dovecot restart /etc/init.d/stunnel start
openssl s_client -connect HOSTNAME:PORT -ssl2
If you receive the certificate and a ton of other lines, you still have SSLv2 enabled. Otherwise, if you receive anything like these you're fine:
8965:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428: