Korean

<< Back VID 22386 Severity 30 Port 80, ... Protocol TCP Class SSL Detailed Description The SSL Server accepts connections encrypted using SSLv2. SSL (Secure Sockets Layer) is a commonly-used protocol for providing secure communication between a client and a server on the Internet. Reportedly, SSLv2 protocol suffers from several cryptographic flaws. An attacker can to exploit these flaws to conduct man-in-the-middle attacks or read secure communications or maliciously modify messages. * References: http://www.schneier.com/paper-ssl.pdf * Platforms Affected: Any operating system Any version Recommendation Eliminate the possibility of risk associated with this vulnerability from occurring, by disabling SSL 2.0 and using SSL 3.0 or TLS 1.0 instead. SSLv2 is enabled by default for backward compatibility. For Sun Java (Netscape Enterprise) Web Server and Application Server: Disable SSLv2 via the Administration Server, as listed in the Sun Alert ID: 57632 at http://au.sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-57632-1&searchclause=57632 For Apache Web server: Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM For Microsoft IIS: To disable the SSL 2.0 protocol so that IIS does not try to negotiate using the SSL 2.0 protocol, follow these steps: 1. Click Start, click Run, type regedt32 or type regedit, and then click OK. 2. In Registry Editor, locate the following registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server 3. On the Edit menu, click Add Value. 4. In the Data Type list, click DWORD. 5. In the Value Name box, type Enabled, and then click OK. 6. Type 00000000 in Binary Editor to set the value of the new key equal to "0". 7. Click OK. Restart the computer. For other distributions: Contact your vendor for upgrade or patch information. Related URL (CVE) Related URL (SecurityFocus) Related URL (ISS)