Home » Linux, Windows

Disable SSLv2 and Weak Ciphers

19 February 2011 One Comment
VN:F [1.9.22_1171]
Rating: 10.0/10 (3 votes cast)

Disable SSLv2 and Weak CiphersAre you still using Secure Socket Layer (SSL) version 2 on your web server? If so, you need to read this article. It can save your life. Okay, maybe not that dramatic but it will show you how to disable SSLv2. Why? There are vulnerabilities in this version. If you don’t disable it, your web server might get compromised.

This vulnerability exists whether you are running Apache or IIS. The steps to disable it are fairly trivial. So go ahead and try it out.

How do I check if SSLv2 is enabled on Apache or IIS?

If you are running Linux, you can use OpenSSL to verify if SSL v2 is enabled on your web server. Run the following command to test:

$ openssl s_client -ssl2 -connect SERVERNAME:443

For example, if I run this command against google.com, I get the following error message:

$ openssl s_client -ssl2 -connect google.com:443

CONNECTED(00000003)
3308:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:


How do I configure Apache not to accept SSLv2 connections?

Edit your Apache configuration to include the line below. You can add it to the httpd.conf or ssl.conf file.

SSLProtocol -ALL +SSLv3 +TLSv1

Restart your Apache process by running the command below. Verify that your Apache web server is no longer accepting SSLv2 connections by running the command from above.

# /etc/init.d/apache2 restart

How do I configure Microsoft IIS not to accept SSLv2 connections?

Modify the Windows registry to include the following:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000

Restart your IIS process by running the command below. Verify that your IIS web server is no longer accepting SSLv2 connections by running the command from above.

C:\> iisreset /restart

How do I know if my web server supports weak SSL ciphers?

If you are running Linux, you can use OpenSSL to verify if weak SSL ciphers is enabled on your web server. Run the following command to test:

$ openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

For example, if I run this command against google.com, I get the following error message:

$ openssl s_client -connect google.com:443 -cipher LOW:EXP

CONNECTED(00000003)
3409:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:578:


How do I disable weak SSL ciphers on Apache?

Edit the httpd.conf or ssl.conf file to include the following line:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Restart your Apache process by running the command below. Verify that your Apache web server is no longer accepting weak SSL ciphers by running the command from above.

# /etc/init.d/apache2 restart

How do I disable weak SSL ciphers on IIS?

Modify the Windows registry to include the following:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
“Enabled”=dword:0000000

Restart your IIS process by running the command below. Verify that your IIS web server is no longer accepting weak SSL ciphers by running the command from above.

C:\> iisreset /restart

That”s it. You should be all set now. Relax and take a break!

Disable SSLv2 and Weak Ciphers, 10.0 out of 10 based on 3 ratings

Incoming search terms:

  • sslv2 vulnerability
  • openssl disable weak ciphers
  • apache disable weak ciphers
  • disable weak ciphers apache
  • apache Disabling SSLv2 and Weak Ciphers
  • Disable SSLv2 and Weak Ciphers
  • apache disable weak cipher
  • disable weak ciphers in apache
  • disable weak ciphers linux
  • ssl2 vulnerability

One Comment »

  • Greg said:

    How do I check if SSLv2 is enabled on Apache or IIS?

    If you are running Linux, you can use OpenSSL to verify if SSL v2 is enabled on your web server. Run the following command to test:

    … and if we’re not using Linux?

    The article was very one-sided; I need to disable SSL v2 in IIS, not linux.

    Plus, your registry entries are outdated for 2008 R2.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.