Disable SSLv2 and enable SSLv3 or TLSv1
SSL 2.0, reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. To disable SSLv2 follow these steps.
After performing vulnerability scan using nessus if you find details about SSLv2 weaknesses in that report then please find the options required to disable SSLv2 as mentioned below.
In /etc/httpd/conf.d/ssl.conf change following options
SSLProtocol -ALL +SSLv3 +TLSv1
After changing options try this command from command prompt and make sure you get error
- #openssl s_client –ssl2 –connect virtualhost:443
then try this command
- #openssl s_client –ssl3 –connect virtualhost:443
- #openssl s_client –tls1 –connect virtualhost:443
This is to make sure that your sites with ssl are working correctly with SSLv3 or TLSv1.
In order to perform these changes you need to login to server and become super user.
Note: Depending on server configuration ssl.conf file will be different. Default directory to hold apache / httpd configuration in most of gnu/linux is /etc/httpd/