Disable SSL 2.0 but not SSL 2.0+ updated? Apache 2.x

Question

Background: I ran a security check on a dedicated server (linux) that I now admin of using: https://www.ssllabs.com/ssldb/index.html. It says that my SSL protocols are:

Protocols

- TLS 1.2  No
- TLS 1.1  No
- TLS 1.0  Yes
- SSL 3.0  Yes
- SSL 2.0+ Yes upgrade support
- SSL 2.0  Yes INSECURE

I am going to be adding a SSL Certificate to the server so I figure I should fix it while I am there. I am new to web-hosting administration so explanations are useful for me.

My Question(s): First what is SSL 2.0+ upgrade support? Second can I disable SSL 2.0 and not disable SSL2.0+? My Apache 2.x currently has the SSLCipherSuite setting of:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

If I change it to

SSLCipherSuite All:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL

will it accomplish my goal?

Thanks in advance! (First Post!)

Gnarfoz · Accepted Answer

You mistook SSL 2.0+ upgrade support for something it isn't.

That one means the server supports the old SSL 2.0-style handshake that was later on extended to allow initiating the connection in the old 2.0 style but let the client specify it really wanted to talk SSL 3.0 anyway. It is not a security issue and you can leave it enabled as long as you intend to provide SSL 3.0 support.

Also, this whole thing is not about cipher suites but protocol versions.

To leave everything Apache supports enabled except SSL 2.0, use: SSLProtocol all -SSLv2

Disable SSL 2.0 but not SSL 2.0+ updated? Apache 2.x

Answers (2)

Related Questions