Background: I ran a security check on a dedicated server (linux) that I now admin of using: https://www.ssllabs.com/ssldb/index.html. It says that my SSL protocols are:
Protocols
- TLS 1.2 No
- TLS 1.1 No
- TLS 1.0 Yes
- SSL 3.0 Yes
- SSL 2.0+ Yes upgrade support
- SSL 2.0 Yes INSECURE
I am going to be adding a SSL Certificate to the server so I figure I should fix it while I am there. I am new to web-hosting administration so explanations are useful for me.
My Question(s): First what is SSL 2.0+ upgrade support? Second can I disable SSL 2.0 and not disable SSL2.0+? My Apache 2.x currently has the SSLCipherSuite setting of:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
If I change it to
SSLCipherSuite All:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL
will it accomplish my goal?
Thanks in advance! (First Post!)
You mistook
SSL 2.0+ upgrade supportfor something it isn’t.That one means the server supports the old SSL 2.0-style handshake that was later on extended to allow initiating the connection in the old 2.0 style but let the client specify it really wanted to talk SSL 3.0 anyway. It is not a security issue and you can leave it enabled as long as you intend to provide SSL 3.0 support.
Also, this whole thing is not about cipher suites but protocol versions.
To leave everything Apache supports enabled except SSL 2.0, use:
SSLProtocol all -SSLv2