Thursday, February 21, 2013

Vulnerability fixes – Web Server Supports Outdated SSLv2 Protocol

If your network engineer again come to you and said that, you need to resolve this vulnerability issue in your Apache server, what will you do? How you so sure that your configuration is working?

Steps:   Edit Apache's httpd-ssl.conf and include these lines at minimum:
SSLProtocol -ALL +SSLv3 +TLSv1
Note: I assume you know where is https-ssl.conf is resided. I assume you know how to turn on SSL :D

How to test?

Run command below to verify SSL3 is enabled
openssl s_client  -connect localhost:443 -ssl3
A success result of retrieving certificate will be displayed.

Run command below to verify SSL2 is disabled
openssl s_client  -connect localhost:443 –ssl2
A failure result is displayed.
Loading 'screen' into random state - done
4460:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:.\ssl\s2_pkt.c

SSLProtocol -ALL +SSLv3 +TLSv1

No comments: