Disable SSLv2 in apache (httpd)

Disable SSLv2 and enable SSLv3 or TLSv1

SSL 2.0, reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. To disable SSLv2 follow these steps.

After performing vulnerability scan using nessus if you find details about SSLv2 weaknesses in that report then please find the options required to disable SSLv2 as mentioned below.

In /etc/httpd/conf.d/ssl.conf change following options

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

After changing options try this command from command prompt and make sure you get error

  1. #openssl s_client –ssl2 –connect virtualhost:443

    then try this command

  2. #openssl s_client –ssl3 –connect virtualhost:443

    OR

  3. #openssl s_client –tls1 –connect virtualhost:443

This is to make sure that your sites with ssl are working correctly with SSLv3 or TLSv1.

In order to perform these changes you need to login to server and become super user.

Note: Depending on server configuration ssl.conf file will be different. Default directory to hold apache / httpd configuration in most of gnu/linux is /etc/httpd/

Share this post

Post Comment