Pivotal Knowledge Base

Follow

Disabling SSLv2 support in Apache HTTP Server (2009299)

Disabling SSLv2 support in Apache HTTP Server (2009299)

Purpose

This article provides information on disabling SSLv2 in Apache HTTP Server.
 
Though SSLv2 is considered insecure and is superseded by SSLv3 and TLS, it is still included as one of the available protocols in OpenSSL, the server's cryptography library. No modern browser requires SSLv2 and if it is available, attacks exist which can force the connection to be downgraded and exposed to SSLv2 vulnerabilities.Therefore, SSLv2 should be explicitly excluded by the server configuration.

Resolution

You can disable SSLv2 using the SSLProtocol directive in your SSL configuration. This specifies the protocols that may be used. Currently, you can use SSLv3 and TLS 1.0. You can use a later version of TLS, when available.
 
For example:

SSLProtocol +SSLv3 +TLSv1 -SSLv2

You can control the protocols and ciphers more specifically using the SSLCipherSuite directive. Adding !SSLv2 anywhere in the string keeps any cipher suites of this protocol from being used.
 
For example:

SSLCipherSuite !SSLv2:!EXP:!NULL:+HIGH:+MEDIUM:RSA:-LOW

Additional Information

After changing your configuration and restarting the server, you can use an openssl command to verify the protocols that it is using.
 
For example:
 
$ openssl s_client -connect localhost:8443 -ssl2
 
You see an output similar to:

CONNECTED(00000003)
19272:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

If SSLv2 is still available, the output of the command will contain information about the connection and server certificate. The error code in the preceding example confirms that SSLv2 is not offered.
©VMware 2013

Comments

Powered by Zendesk