Disable SSLv2 System Wide

For anyone that has had to deal with any of the "PCI auditing" companies you know how much of a pain in the ass SSLv2 can be. But, there's a few pretty easy ways to clear it up.

1. Compile OpenSSL without SSLv2 support

Ok this one is actually a joke. I hear it's possible but really who is going to waste the time.

2. Disable it per-application

So you only got busted for having SSLv2 enabled on a certain port, eh? Here's some basics. For the rest use Option 3 or RTFM and post in the comments ;-) Once you edit the correct files, Test for SSLv2 to make sure it's gone.

apache httpd:
Add the following line to your httpd.conf:

SSLProtocol ALL -SSLv2

A more secure method to make sure you pass PCI compliance is this:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

dovecot 1.0+ (keep reading)
Add this line to your dovecot.conf:

ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

IIS 5.0 & 6.0
Microsoft has two articles on this, pick your poison:
http://support.microsoft.com/kb/216482
http://support.microsoft.com/kb/187498

lighttpd
Add to lighttpd.conf:

ssl.use-sslv2 = "disable"

postfix
main.cf:

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high

proftpd
proftpd.conf:

TlsCipherList HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

slapd
slapd.conf:

TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

vsftpd
(This is only if you have SSL support enabled). vsftpd.conf:

ssl_sslv2=NO

Note on cipher lists:
In the above examples I used HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 but really if you just want to disable SSLv2 and leave other problematic ciphers you could use ALL:!SSLv2. Or you can come up with your own cipher list like ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM.

3. Use Stunnel

This is the penicillin of the SSL world. It will cure your problems. Use this to fix those pesky programs (except FTP) that don't allow you to edit the cipher list or worst of all, don't have SSL support.

Check if it's currently installed
(probably if you're using RHEL):

which stunnel

If it's not installed
Try to get it from the repositories:
CentOS/RHEL:

yum install stunnel

Ubuntu/Debian:

apt-get install stunnel4

Other: Compile from source. It's simple. Latest no-experimental build at time of writing was 4.20:

wget http://www.stunnel.org/download/stunnel/src/stunnel-4.20.tar.gz
tar xzvf stunnel-4.20.tar.gz
cd stunnel-4.20
./configure
make
sudo make install

You'll also want to install the init file:

sudo cp tools/stunnel.init /etc/init.d/stunnel
sudo chmod 755 /etc/init.d/stunnel
sudo chown root:root /etc/init.d/stunnel

If using RHEL/CentOS:

chkconfig --add stunnel

Setup the Stunnel certificate
I set a valid period for 10 years because I don't like dealing with these things. When it asks for the FQDN enter your server address (ex: adamyoung.net):

mkdir -p /etc/stunnel
cd /etc/stunnel
openssl req -newkey rsa:1024 -keyout key.pem -nodes -x509 -days 3650 -out cert.pem
cat key.pem > stunnel.pem
cat cert.pem >> stunnel.pem
rm key.pem cert.pem
chmod 600 stunnel.pem

Setup /etc/stunnel/stunnel.conf
For this example I'll use dovecot because I mentioned above that dovecot

cert = /etc/stunnel/stunnel.pem

[imaps]
accept  = 993
connect =  143

[pops]
accept  = 995
connect =  110

You may also want to secure the server you send outgoing mail to. First, check to make sure something else (postfix?) doesn't have the port open with

netstat -an | grep 465

If you see a line like this:

tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN

Then you're already taken care of. Otherwise, add the following lines to /etc/stunnel/stunnel.conf:

[smtps]
accept  = 465
connect = 25

Next up, you need to tell dovecot to stop listening on the IMAPS and POPS ports. Edit the protocols line of /etc/dovecot.conf:

protocols = imap pop3

Last step! Restart dovecot and start stunnel (in RHEL/CentOS you can use the service command instead):

/etc/init.d/dovecot restart
/etc/init.d/stunnel start

Testing that SSLv2 is Disabled

openssl s_client -connect HOSTNAME:PORT -ssl2

If you receive the certificate and a ton of other lines, you still have SSLv2 enabled. Otherwise, if you receive anything like these you're fine:
write:errno=54
8965:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Comments

I really enjoyed reading

I really enjoyed reading this post, big fan. Keep up the good work and please tell me when can you publish more articles or where can I read more on the subject.Thanks for nice info. It’s useful for me. Can you give me some more information with details? I will wait for your next post.
longboards">http://www.mainlandskateandsurf.com/c-59-skate-shop.aspx?categoryfilteri... Sector 9

free link directory

all the articles will remain in the mind without missing a single word whichever we read. I think this article done a great job.What a best way to describe your view. Thanks for sharing with us. Really like your informative artic site">http://www.webtotell.com/">site links and http://www.webtotell.com/

You have shared a friendly

You have shared a friendly blog. I really want to say thank you for sharing this good article with us. This is a lit blog. Thank you very much for sharing your valuable knowledge through this blog. Appellant was naked so fascinating things in the blog.

%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20
  • to post comments
  • I would appreciate if you

    I would appreciate if you could suggest your readers to check out VedoMedia. We have seo experts, internet marketing gurus, and super affiliates on our team and we know how to get your business and site some traffic.
    Austin Roofing Contractors

    ktm motorcycles

    Most people know all concerning the lively way you deliver great steps by means of the web blog and in addition inspire participation from some other people on the area while our favorite daughter is really being taught so much.

    you receive the certificate

    you receive the certificate and a ton of other lines, you still have SSLv2 enabled. Otherwise
    Research">http://www.academicwritinghelp.com/ARH/researchpaper-service.asp">Research Papers

    Pages