WebApp Sec mailing list archives
Re: SSL 2.0 enabled or disabled?
From: "Blane Perry" <perrybl () michigan gov>
Date: Wed, 19 May 2004 17:22:35 -0400
Does anyone know of a tool that can scan a web server to determine which version of SSL is being used? nmap? nessus?
Ralf Durkee <rd () rd1 net> 05/19/04 05:51AM >>>
At 07:13 PM 5/18/2004 -0700, Ooper Starr wrote:
Given all the vulnerabilities with SSL 2.0, do most people disable
SSL 2.0
on their servers or are there concerns of potential loss of consumers
that
may only have clients that support 2.0 who use the application? IE's
defaults are SSL 2.0 & 3.0 enabled and TLS 1.0 disabled. Any good
papers
about this topic? ____________________________________________________________
As you suggest SSLv2 should be disabled as it is vulnerable. It can be
disabled without concern for loss of customers. I have been requiring
or
recommending (depending on my role) disabling SSLv2 for several years,
at
least since late 2000, as all of the browsers support sslv3 or better.
I've
always found it curious that IE disables TLSv3 by default, I suspect
the MS
decision maker just didn't know what TLS was. Most of the servers I
have
reviewed or audited for the first time, do not disable SSLv2 at least
until
after the first review. I also recommend disabling SSLv2 on the
client
browser and enabling SSLv3 and TLSv1. I have only found 2 web servers
since
2000 that didn't support SSLv3 or TLSv1. Although when IE encounters
a
server that doesn't support it's required versions, it will just sit
there
and "spin" when it can't complete the handshake, there's no error
message
given.
-- Ralf Durkee, CISSP, GSEC, GCIH Principal Consultant http://rd1.net
Current thread:
- SSL 2.0 enabled or disabled? Ooper Starr (May 18)
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 19)
- Re: SSL 2.0 enabled or disabled? Jason Coombs (May 20)
- <Possible follow-ups>
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 20)
- Re: SSL 2.0 enabled or disabled? Blane Perry (May 20)
- Re: SSL 2.0 enabled or disabled? Mark Foster (May 20)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 20)
- Re: SSL 2.0 enabled or disabled? Rogan Dawes (May 20)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 20)
- Re: SSL 2.0 enabled or disabled? Rogan Dawes (May 21)
- Re: SSL 2.0 enabled or disabled? James Bowman (May 24)
- RE: SSL 2.0 enabled or disabled? Dimitris Petropoulos (May 25)
- Re: SSL 2.0 enabled or disabled? Ralf Durkee (May 19)