Vulnerability fixes – Web Server Supports Outdated SSLv2 Protocol

If your network engineer again come to you and said that, you need to resolve this vulnerability issue in your Apache server, what will you do? How you so sure that your configuration is working?


Steps:   Edit Apache's httpd-ssl.conf and include these lines at minimum:

SSLProtocol -ALL +SSLv3 +TLSv1

Note: I assume you know where is https-ssl.conf is resided. I assume you know how to turn on SSL :D

How to test?

Run command below to verify SSL3 is enabled

openssl s_client  -connect localhost:443 -ssl3

A success result of retrieving certificate will be displayed.

Run command below to verify SSL2 is disabled

openssl s_client  -connect localhost:443 –ssl2

A failure result is displayed.

Loading 'screen' into random state - done
CONNECTED(00000154)
4460:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:.\ssl\s2_pkt.c
:428:

SSLProtocol -ALL +SSLv3 +TLSv1