Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: emissions on February 25, 2009, 12:41:17 AM
-
I had an application I'm using do a vulnerability scan on my server and it came back with SSLv2 is being supported. Remediation action is to disable SSLv2 and that SSLv2, TLSv1 or newer should be implemented.
I've read on some Apache servers that both are installed but v2 is used by default. Is this the case for SME?
How do I disable SSLv2 and enable SSLv3 by default?
Any help would be greatly appreciated. Thanks in advance.
-
I had an application I'm using do a vulnerability scan on my server and it came back with SSLv2 is being supported. Remediation action is to disable SSLv2 and that SSLv2, TLSv1 or newer should be implemented.
I think you mean SSLv3 instead of (the second SSLv2) there.
SME Server is configured (by default) to supply all protocols (SSLv2, SSLv3 and TLSv1) as the SSLProtocol (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslprotocol) is set to All in the httpd.conf file using this template fragment 35SSL30SSLProtocol which reads:
{
# Specify which SSL Protocols to accept for this context
}
SSLProtocol all
I've read on some Apache servers that both are installed but v2 is used by default. Is this the case for SME?
You should be able to find such in the APache documentation I think.
How do I disable SSLv2 and enable SSLv3 by default?
Any help would be greatly appreciated. Thanks in advance.
Clues to that could also be found in the manual quoted earlier. Keep in mind that direct changes to the configuration file will be overwritten as the configuratin files in SME Server are created based on templates (more on the template system in the SME Server Developers Guide linked in the wiki).
Basically if you want to make changes you need to recreate the exact directory tree (to the file) in /etc/e-smith/templates-custom/ as is layed out in /etc/e-smith/templates/.
The copy the original fragment to the new location and make your changes there, in this case you could have the fragment read:
{
# Specify which SSL Protocols to accept for this context
}
SSLProtocol all -SSLv2
Regenerate your httpd.conf file:
expand-template /etc/httpd/conf/httpd.conf
And restart your webserver:
sv t httpd-e-smith
I am not really sure if the use of SSLv2 is a big security risk though, if you are bothered about that I assume you also configured remote access to use private-public keys, if you should even allow access over SSH as if you did not do so I am far more worried about that risk than on the SSLv2 risk. Did you investigate the consequences of disabling SSLv2? Did you investigate the risks involved by using SSLv2 compared to SSLv3 or TLSv1 (as when this would be a serious risk we should disable it and you should launch a bug for it) or are you mainly guided by a vulnerability check? Do you know the background and origin of the vulnerability check I am curious to know more details on it as I have seen some that are not that good in checking the real vulnerabilities...
-
emmissions,
We failed a required security scan because of the SSL2 issue as well. Here's the instructions I have on file to configure the server to use only SSL3:
1. If it doesn't exist, create this directory tree: /etc/e-smith/templates-custom/etc/httpd/conf
2. Change to the directory:
cd /etc/e-smith/templates-custom/etc/httpd/conf
3. Copy the standard template fragment file to the custom one:
cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol 35SSL30SSLProtocol
4. Edit 35SSL30SSLProtocol and change the last line as shown. If the "before" file looks different than what is shown here, do further research to make sure that this fix will still work.
Contents of file before edit:
---------------------------------------------------
{
# Specify which SSL Protocols to accept for this context
}
SSLProtocol all
---------------------------------------------------
Contents after edit:
---------------------------------------------------
{
# Specify which SSL Protocols to accept for this context
}
SSLProtocol SSLv3
---------------------------------------------------
5. Tell the server to re-create the /etc/httpd/conf/httpd.conf configuration file based on the new template:
expand-template /etc/httpd/conf/httpd.conf
6. Restart the server:
reboot
If something goes wrong and the custom template doesn't work, simply delete 35SSL30SSLProtocol from /etc/e-smith/templates-custom/etc/httpd/conf and run steps 5 and 6. This wil put your server back in the orginal state before you made in modifications.
-
We failed a required security scan because of the SSL2 issue as well.
So open a bug report, already.
-
So open a bug report, already.
It seems to have been raised: http://bugs.contribs.org/show_bug.cgi?id=5034
-
SSLProtocol SSLv3
This is a little more then asked for by OP. I already stated to disable SSLv2 you need a little different line as the above disables everything and only allows SSLv3, so it also disables TSLv1 and other protocols to come in the future.
I suggest you only disable what you really need to disable using the instructions in my earlier post (http://forums.contribs.org/index.php/topic,43403.msg206727.html#msg206727) unless you explicitly only want to use SSLv3.