Disable SSLv2 System Wide

For anyone that has had to deal with any of the "PCI auditing" companies you know how much of a pain in the ass SSLv2 can be. But, there's a few pretty easy ways to clear it up.

1. Compile OpenSSL without SSLv2 support

Ok this one is actually a joke. I hear it's possible but really who is going to waste the time.

2. Disable it per-application

So you only got busted for having SSLv2 enabled on a certain port, eh? Here's some basics. For the rest use Option 3 or RTFM and post in the comments ;-) Once you edit the correct files, Test for SSLv2 to make sure it's gone.

apache httpd:
Add the following line to your httpd.conf:

SSLProtocol ALL -SSLv2

A more secure method to make sure you pass PCI compliance is this:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

dovecot 1.0+ (keep reading)
Add this line to your dovecot.conf:

ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

IIS 5.0 & 6.0
Microsoft has two articles on this, pick your poison:
http://support.microsoft.com/kb/216482
http://support.microsoft.com/kb/187498

lighttpd
Add to lighttpd.conf:

ssl.use-sslv2 = "disable"

postfix
main.cf:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high

proftpd
proftpd.conf:

TlsCipherList HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

slapd
slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

vsftpd
(This is only if you have SSL support enabled). vsftpd.conf:

ssl_sslv2=NO

Note on cipher lists:
In the above examples I used HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 but really if you just want to disable SSLv2 and leave other problematic ciphers you could use ALL:!SSLv2. Or you can come up with your own cipher list like ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM.

3. Use Stunnel

This is the penicillin of the SSL world. It will cure your problems. Use this to fix those pesky programs (except FTP) that don't allow you to edit the cipher list or worst of all, don't have SSL support.

Check if it's currently installed
(probably if you're using RHEL):

which stunnel

If it's not installed
Try to get it from the repositories:
CentOS/RHEL:

yum install stunnel

Ubuntu/Debian:

apt-get install stunnel4

Other: Compile from source. It's simple. Latest no-experimental build at time of writing was 4.20:

wget http://www.stunnel.org/download/stunnel/src/stunnel-4.20.tar.gz
tar xzvf stunnel-4.20.tar.gz
cd stunnel-4.20
./configure
make
sudo make install

You'll also want to install the init file:

sudo cp tools/stunnel.init /etc/init.d/stunnel
sudo chmod 755 /etc/init.d/stunnel
sudo chown root:root /etc/init.d/stunnel

If using RHEL/CentOS:

chkconfig --add stunnel

Setup the Stunnel certificate
I set a valid period for 10 years because I don't like dealing with these things. When it asks for the FQDN enter your server address (ex: adamyoung.net):

mkdir -p /etc/stunnel
cd /etc/stunnel
openssl req -newkey rsa:1024 -keyout key.pem -nodes -x509 -days 3650 -out cert.pem
cat key.pem > stunnel.pem
cat cert.pem >> stunnel.pem
rm key.pem cert.pem
chmod 600 stunnel.pem

Setup /etc/stunnel/stunnel.conf
For this example I'll use dovecot because I mentioned above that dovecot

cert = /etc/stunnel/stunnel.pem

[imaps]
accept  = 993
connect =  143

[pops]
accept  = 995
connect =  110

You may also want to secure the server you send outgoing mail to. First, check to make sure something else (postfix?) doesn't have the port open with

netstat -an | grep 465

If you see a line like this:

tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN

Then you're already taken care of. Otherwise, add the following lines to /etc/stunnel/stunnel.conf:

[smtps]
accept  = 465
connect = 25

Next up, you need to tell dovecot to stop listening on the IMAPS and POPS ports. Edit the protocols line of /etc/dovecot.conf:

protocols = imap pop3

Last step! Restart dovecot and start stunnel (in RHEL/CentOS you can use the service command instead):

/etc/init.d/dovecot restart
/etc/init.d/stunnel start

Testing that SSLv2 is Disabled

openssl s_client -connect HOSTNAME:PORT -ssl2

If you receive the certificate and a ton of other lines, you still have SSLv2 enabled. Otherwise, if you receive anything like these you're fine:
write:errno=54
8965:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Comments

Thanks

I appreciate this post. its better if we start respecting religious people.

I can

We need to tell dovecot to stop listening.
Cruiser Bikes

I used

I used but really if you just want to disable SSLv2 and leave other problematic ciphers you could use ALL.
Cairns hostels

Great!

Utilize cheap business cards to make a lasting impression. Your business card printing company can print your cheap business cards while keeping the price low when you use creative designs on standard materials.

Just wanted to drop a

Just wanted to drop a comment and say I am new to your blog and really like what I am reading. Thanks for the great content. Look forward to coming back for more. http://fridaymoviez.com/celebrity/katrina-kaif/53993" rel="follow">Katrina Kaif

Really helpful post there.

Really">http://nils-blogger-prost.blogspot.com/">Really helpful post there. thank you

you can come up with your

you can come up with your own cipher list like.

Fine work

I have read the blog it is interesting and informative i enjoyed it keep it up thanks

Goodwork

Well this is something special that i have read in this blog post interesting information have been shared in it....

Great!

I always like to read. I read everything. I believe it can make me know better about anything. Knowledge is important for all of us.
chiropractic orlando

I agree

This is one of the finest posts i have read it has every thing in it....

cyclone

I found this is an informative and interesting post it is very useful and knowledgeable. I would like to thank you for the efforts you have made in writing this article

Espresso Makers

I was just searching for it and at last i find it here thanks for the post.
Espresso">http://www.teacoffeetime.com/">Espresso Makers

Internet has become a huge

Internet has become a huge help in today's generation especially on researching. Great page. Nice one.

Make your reasons are

Make your reasons are reality.

Great!

I have been go through the whole content of this blog which is very informative and knowledgeable stuff, Iwould like to visit again.

Billiga">http://www.billigaflygbiljetter.nu/">Billiga flygbiljetter

Color flyers are great for

Color flyers are great for advertising special events, and grand openings. Modern grand">http://www.fullcolorprint.com/">grand opening flyer printing technology allows producing these flyers at a minimal cost, making them affordable for everyday use.

Color flyers are great for

I am just having a mental block on the code for ffmpege and flvtools. My IIS is tenant Screening configured fine, it's just the website code I can't get. Thank you so so much.

SSLv2

Recently I wrote a about it, so I can tell you that to disable SSL v2 for PCI Compliance first thing, test it out to make sure its enabled.
You can use the following openSSL command: openssl s_client -host YOUR_IP -port 443 -verify -debug -ssl2.

The fan from England and I

The fan from England and I really love your compositions and work. You are a real inspiration to many and your fans really love you.
Thanks for sharing the informative post.
Regards.
david77 - wedding">http://www.trichosalonandspa.com/ann-arbor-services/ann-arbor-hair.html"... hair services ann arbor

Thanks for a great blog...

this is indeed a great blog.

this is indeed a great blog.

Impressive page. I

Impressive page. I absolutely like it. Nice one.
affordable">http://www.affordablehealthinsurancez.com/">affordable health insurance

Congratulations

and for share all this rare technical information. caneta">http://www.levatudo.com.br/produto.asp?idTipoProd=A0">caneta espia

Congratulations

i agree with you, excellent information in here. Greetings

hi

If you receive a certificate and a bunch of other lines, still has SSLv2 enabled. Otherwise, if you receive something like this you are either:

Watch TV Online

I like it very much because it has very helpful articles of various topics like different culture and the latest news. I am a googler and search on many topics.
">http://www.goonlinetv.com/"> Watch TV Online

Great tutorial

Very nice tutorial, tks for share... I have some problems with that but I´ll try to fix.. Best Regards!
caneta">http://www.levatudo.com.br/produto.asp?idTipoProd=A0">caneta espia

hi

Thanks for informative and helpful post, obviously in your blog everything is good.If you
post informative comments on blogs there is always the chance that actual humansAlpharetta Chiropractor

Blogs Very informative

Blogs Very informative article. I've found your blog via Yahoo and I?m really glad about the information you provide in your posts. Thank You for sharing this very informative article... Pink">http://www.runtheline.com/1608/pink-running-shoes">Pink Running Shoes

Re:Disable SSLv2 System Wide

I will apply this process. I hope that I can get success while compiling SSlv2 system. As working in , I always look for such site in internet. This post will help me to know more about it. Thanks a lot indeed.

Thanks

Thanks for sharing this information, now i can also disable SSLv2. I know the pain of this SSLv2 very well and believ me that's i am very happy to found this information about SSLv2.

High approval Sameday loans

Great

wow....! Very nice article. You share a bundle of information in this article. You stuff is really very helpful and informative. Keep writing. Thanks a lot for sharing.

Ästhetische Plastische Chirurgie

I like it very much because it has very helpful articles of various topics like different culture and the latest news. I am a googler and search on many topics.
">http://www.plastische-chirurgie.nu/kosmetische-aesthetische-chirurgie"> Ästhetische Plastische Chirurgie

This information is very

This information is very useful. I really didn't know the process of disable SSLv2. Now i can also disable SSLv2 from my PC. This is really a simple method.

next day loans

This is a great topic on the

This is a great topic on the issue, however I found that one important detail (which was essential at least in my case) that was not posted here or anywhere else (I apologize if I just missed it) was that the P3P line must be passed in header of EVERY file sent from the 3rd party server, even files not setting or using the cookies such as Javascript files or images. Otherwise the cookies will be blocked. I have more on this in a post here pandora jewellery sale

Clear

ve a clear interest in this post , iam visting the blog regularly and comments are updating regularly . so veryone like this post automatically ...

moncler jackets

Communication and coordination in the current crisis had been seamless, he said, thanks to close cooperation between the U.S. military and its Japanese counterpart for decades on mutual defence issues.
Moncler">http://www.wearmoncler.com/pl_6_12-Moncler-Men-No-Hat-Jacket.html">Moncler Men No Hat Jackets
Moncler">http://www.wearmoncler.com/pl_5_14-Moncler-Women-Short-Style-Jacket.html... Women Branson Jacket

info

The information technology stream is brand new. A large selection of courses have recently been approved for this stream and will be rolled out as students enter this exciting new course area to augment their knowledge and skills.Thanks for sharing the informative post. Regards. http://www.prideoftexas.net/pflugerville-foreclosures.htm" >Pflugerville Foreclosures

Wie DSL Vergleich

Wie DSL">http://www.dsl-l.de/">DSL Vergleich funktioniert.
Wie Handyvertr">http://www.handy-iz.de/">Handyverträge funktionieren.

thanks

I found the perfect place for my needs. Contains wonderful and useful messages. I have read most of them and has a lot of them. To me, he's doing the great work.
http://www.buildingmaterials.co.uk/Home-Renovation" rel="follow">Home renovations Costs

hi

You have shared a nice blog. I really want ot say you thanks for sharing this nice article with us. This one is enlightened blog post. Thanks a lot for sharing your valuable views through this blog. I bared so recurrent fascinating stuff in blog.
http://www.buildingmaterials.co.uk/Home-Renovation" rel="follow">Home renovations Costs

You have shared a nice blog.

You have shared a nice blog. I really want ot say you thanks for sharing this nice article with us. This one is enlightened blog post. Thanks a lot for sharing your valuable views through this blog. I bared so recurrent fascinating stuff in blog.

Penis">http://www.bonermagic.com/">Penis Enlargers

So how does this exactly

So how does this exactly work for ? I guess that is a Safari browser?

IT INFO

That's a very good improvement for the site. The re-captcha is a good one to minimize spams. Keep on improving!austin">http://youraustintxhome.com/green-homes/">austin green homes
shipping construction equipment

bubbles

thank you for nice information.. I am going to bookmark this page. we will meet soon.

Hi Adam, My problem is much

Hi Adam,

My problem is much simpler. I am not using iFrames, and the entire "site" is actually on a disk. The frameset consists of two vertical frames, the left of which links to a page that lists navigation links. The right by default links to the Home page. There is only one other page that displays in that frame. The link to that page is in the Nav frame.

There is no code other than HTML and I am not setting any cookies.

When I open up the site, it displays properly, but if I refresh it, then the left nav page displays in both the left nav frame and the body frame. This does not occur in Safari or Firefox, although they behave diffently from each other (Safari refreshes to the default frameloads; Firefox to the current frameloads).

Any assistance would be greatly appreciated.

This is because we don't

This is because we don't know what meekness really is. We think the meek are that way because they have no choice. We think that meekness comes from weakness, from having no choice. Our models for the meek show this quality because they lack the strength and the courage to stand up for themselves. The pandora jewelry truth is different.As with other virtues, Christ models meekness for us. And in Christ, we see that genuine meekness comes from power and strength rather than weakness. Part of the reason we don't recognize genuine meekness is because we have distorted images of Christ. Some people tend to think of Christ as weak, a victim on the cross, gentle and mild because he had no strength. The Bible does not support this view.

Thanks

Yes i can understand the situation I know some people who deal with the "PCI auditing" companies. This information can solve their problems, thanks for sharing this solusion.
Same day quick cash

Thanks for sharing this

Thanks for sharing this information. i really didn't know the pain in the ass SSLv2 system. Now i must keep in mind this thing.

Fast payday loan from SamedayPaydayLoans

Pages