Re: SSL 2.0 enabled or disabled?

[Ralf Durkee <rd () rd1 net>]

At 05:22 PM 5/19/2004 -0400, Blane Perry wrote:
> Does anyone know of a tool that can scan a web server to determine which
> version of SSL is being used?  nmap?  nessus?

Nessus will report the SSL versions.

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant
http://rd1.net




> >>> Ralf Durkee <rd () rd1 net> 05/19/04 05:51AM >>>
> At 07:13 PM 5/18/2004 -0700, Ooper Starr wrote:
> >>Given all the vulnerabilities with SSL 2.0, do most people disable
> SSL 2.0
> >>on their servers or are there concerns of potential loss of consumers
> that
> >>may only have clients that support 2.0 who use the application?  IE's
>
> >>defaults are SSL 2.0 & 3.0 enabled and TLS 1.0 disabled.  Any good
> papers
> >>about this topic?
> >>____________________________________________________________
>
> >As you suggest SSLv2 should be disabled as it is vulnerable. It can be
>
> >disabled without concern for loss of customers. I have been requiring
> or
> >recommending (depending on my role) disabling SSLv2 for several years,
> at
> >least since late 2000, as all of the browsers support sslv3 or better.
> I've
> >always found it curious that IE disables TLSv3 by default, I suspect
> the MS
> >decision maker just didn't know what TLS was. Most of the servers I
> have
> >reviewed or audited for the first time, do not disable SSLv2 at least
> until
> >after the first review.  I also recommend disabling SSLv2 on the
> client
> >browser and enabling SSLv3 and TLSv1. I have only found 2 web servers
> since
> >2000 that didn't support SSLv3 or TLSv1.  Although when IE encounters
> a
> >server that doesn't support it's required versions, it will just sit
> there
> >and "spin" when it can't complete the handshake, there's no error
> message
> >given.
>
> -- Ralf Durkee, CISSP, GSEC, GCIH
> Principal Consultant
> http://rd1.net