WebApp Sec mailing list archives
Re: SSL 2.0 enabled or disabled?
From: Ralf Durkee <rd () rd1 net>
Date: Wed, 19 May 2004 20:55:17 -0400
At 05:22 PM 5/19/2004 -0400, Blane Perry wrote:
Does anyone know of a tool that can scan a web server to determine which version of SSL is being used? nmap? nessus?
Nessus will report the SSL versions. -- Ralf Durkee, CISSP, GSEC, GCIH Principal Consultant http://rd1.net
>>> Ralf Durkee <rd () rd1 net> 05/19/04 05:51AM >>> At 07:13 PM 5/18/2004 -0700, Ooper Starr wrote: >>Given all the vulnerabilities with SSL 2.0, do most people disable SSL 2.0 >>on their servers or are there concerns of potential loss of consumers that >>may only have clients that support 2.0 who use the application? IE's >>defaults are SSL 2.0 & 3.0 enabled and TLS 1.0 disabled. Any good papers >>about this topic? >>____________________________________________________________ >As you suggest SSLv2 should be disabled as it is vulnerable. It can be >disabled without concern for loss of customers. I have been requiring or >recommending (depending on my role) disabling SSLv2 for several years, at >least since late 2000, as all of the browsers support sslv3 or better. I've >always found it curious that IE disables TLSv3 by default, I suspect the MS >decision maker just didn't know what TLS was. Most of the servers I have >reviewed or audited for the first time, do not disable SSLv2 at least until >after the first review. I also recommend disabling SSLv2 on the client >browser and enabling SSLv3 and TLSv1. I have only found 2 web servers since >2000 that didn't support SSLv3 or TLSv1. Although when IE encounters a >server that doesn't support it's required versions, it will just sit there >and "spin" when it can't complete the handshake, there's no error message >given. -- Ralf Durkee, CISSP, GSEC, GCIH Principal Consultant http://rd1.net
Current thread:
- SSL 2.0 enabled or disabled? Ooper Starr (May 18)
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 19)
- Re: SSL 2.0 enabled or disabled? Jason Coombs (May 20)
- <Possible follow-ups>
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 20)
- Re: SSL 2.0 enabled or disabled? Blane Perry (May 20)
- Re: SSL 2.0 enabled or disabled? Mark Foster (May 20)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 20)
- Re: SSL 2.0 enabled or disabled? Rogan Dawes (May 20)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 20)
- Re: SSL 2.0 enabled or disabled? Rogan Dawes (May 21)
- Re: SSL 2.0 enabled or disabled? James Bowman (May 24)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 25)
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 19)