1

Background: I ran a security check on a dedicated server (linux) that I now admin of using: https://www.ssllabs.com/ssldb/index.html. It says that my SSL protocols are:

Protocols

- TLS 1.2  No
- TLS 1.1  No
- TLS 1.0  Yes
- SSL 3.0  Yes
- SSL 2.0+ Yes upgrade support
- SSL 2.0  Yes INSECURE

I am going to be adding a SSL Certificate to the server so I figure I should fix it while I am there. I am new to web-hosting administration so explanations are useful for me.

My Question(s): First what is SSL 2.0+ upgrade support? Second can I disable SSL 2.0 and not disable SSL2.0+? My Apache 2.x currently has the SSLCipherSuite setting of:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

If I change it to

SSLCipherSuite All:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL

will it accomplish my goal?

Thanks in advance! (First Post!)

jneff
  • 43
  • 4

2 Answers2

4

You mistook SSL 2.0+ upgrade support for something it isn't.

That one means the server supports the old SSL 2.0-style handshake that was later on extended to allow initiating the connection in the old 2.0 style but let the client specify it really wanted to talk SSL 3.0 anyway. It is not a security issue and you can leave it enabled as long as you intend to provide SSL 3.0 support.

Also, this whole thing is not about cipher suites but protocol versions.

To leave everything Apache supports enabled except SSL 2.0, use: SSLProtocol all -SSLv2

Gnarfoz
  • 3,146
  • 1
  • 17
  • 15
  • There was a recent discussion about the message format in [this question](http://stackoverflow.com/q/10196436/372643). – Bruno May 07 '12 at 18:59
0

First what is SSL 2.0+ upgrade support? I found that SSL 2.0+ is just SSL 2.0 but with support of for properly handling the renegotiation vulnerability.

Second can I disable SSL 2.0 and not disable SSL 2.0+? Simple Answer: Didn't know. SSL2.0+ isn't even defined in the websites documentation of there evaluation. As far as I can tell the SSL 2.0+ is just an indication of weather or not openssl has the ability to handle the update that fixed the renegotiation vulnerability.

Changing the SSLCipherSuite to turn off SSLv2 would accomplish my goal of turning off the SSL 2.0 INSECURE, however it would also turn off the SSL 2.0+.

jneff
  • 43
  • 4