Disabling the SSLv2 protocol

Hi.
I need to disable the SSLv2 protocol, and am having problems. I have
followed the instructions in Article ID : 187498 re: the registry
modifications, but when I re-scan my server, it still shows SSLv2 as a
vulnerability.

Does anyone know if there is something else I can try to disable that
protocol?

We are similar to "Gonzo's" post - I ran a security scan on this server and
it shows open...

THREAT:
The Secure Socket Layer (SSL) protocol allows for secure communication
between a client and a server.
There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker
can force the communication to a less secure level and then attempt to
break the weak encryption. The attacker can also truncate encrypted messages.
These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all
popular web-servers, mail-servers, etc.) and clients (including
Web-clients like IE, Netscape Navigator and Mozilla and mail clients)
support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for
backward compatibility.
The following links provide more information about this vulnerability:
SSL Server Security Survey
SSL 3.0 Specification
IMPACT:
An attacker can exploit this vulnerability to read secure communications or
maliciously modify messages.
SOLUTION:
Disable SSLv2.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the
following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
SSLNoV2
How to disable SSLv2 on IIS : Microsoft
Knowledge Base Article - 187498
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in
Schannel.dll :
Microsoft Knowledge Base Article - 245030
RESULT:
No

Re: Disabling the SSLv2 protocol

Those are all the necessary directions. There's nothing else.

Double check that you have followed instructions in KB245030.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Sep 19, 1:52 pm, Murr wrote:
> Hi.
> I need to disable the SSLv2 protocol, and am having problems. I have
> followed the instructions in Article ID : 187498 re: the registry
> modifications, but when I re-scan my server, it still shows SSLv2 as a
> vulnerability.
>
> Does anyone know if there is something else I can try to disable that
> protocol?
>
> We are similar to "Gonzo's" post - I ran a security scan on this server and
> it shows open...
>
> THREAT:
> The Secure Socket Layer (SSL) protocol allows for secure communication
> between a client and a server.
> There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker
> can force the communication to a less secure level and then attempt to
> break the weak encryption. The attacker can also truncate encrypted messages.
> These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all
> popular web-servers, mail-servers, etc.) and clients (including
> Web-clients like IE, Netscape Navigator and Mozilla and mail clients)
> support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for
> backward compatibility.
> The following links provide more information about this vulnerability:
> SSL Server Security Survey
> SSL 3.0 Specification
> IMPACT:
> An attacker can exploit this vulnerability to read secure communications or
> maliciously modify messages.
> SOLUTION:
> Disable SSLv2.
> Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the
> following lines:
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
> For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
> SSLNoV2
> How to disable SSLv2 on IIS : Microsoft
> Knowledge Base Article - 187498
> How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in
> Schannel.dll :
> Microsoft Knowledge Base Article - 245030
> RESULT:
> No