| VID |
22737 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
SSL |
| Detailed Description |
The SSL Server accepts connections encrypted using SSLv3.
SSL/TLS is a collection of protocols. Weaknesses have been identified with earlier SSL protocols, including SSLv2 and SSLv3, hence SSL versions 1, 2, and 3 should not longer be used. The best practice for transport layer protection is to only provide support for the TLS protocols - TLS 1.0, TLS 1.1 and TLS 1.2. This configuration will provide maximum protection against skilled and determined attackers and is appropriate for applications handling sensitive data or performing critical operations.
* References:
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Protocols
* Platforms Affected:
Any operating system Any version |
| Recommendation |
Eliminate the possibility of risk associated with this vulnerability from occurring, by disabling SSL 3.0 and using TLS 1.2 instead.
For Apache Web server:
ssl.conf should have the following lines:
SSLProtocol -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
