SSLv2, why are you still around?

What

The SSLv2 protocol is an obsolete version of SSL that has been deprecated since 1996 2011 due to having several security flaws. Current standards (2016) are SSL 3.0 and TLS 1.0TLS1.0-1.2 with SSL being fully deprecated, however, a common finding in Nessus scans of web servers SSLv2 is still enabled. IIS through v7 and Apache with OpenSSL prior to v1.0 have it enabled by default.

There are two components that determine the cryptographic strength of an SSL connection – the SSL protocol version and the cipher suites used. The SSL version is the language the client and server will use to talk with each other. It controls the encryption process, but does not define the cipher suites that are used. The ciphers in the certificate are independent and are specified when the certificate is generated and control the strength of the encrypted data. As long as the certificate supports high strength ciphers, you can disable the lower strength ciphers without issue.

Why use SSLv2?

Very few clients should still be using this protocol, and best practice is to disable it to prevent man in the middle attacks. Some organizations also might need to disable it to meet PCI requirements, which require cardholder data be transmitted over 128bit SSL 3.0 or greater (page 15). There really is no downside – all browsers have been supporting TLS or SSLv3 for over a decade (page 11) – and in my opinion, it should have been disabled by default on web servers a long time ago.

How – Checking if your server supports SSLv2

The easiest way is to use a linux box with the openssl binaries installed. Running the following command forces openssl to connect to the server using the SSLv2 protocol only. Getting an error similar to this means SSLv2 is disabled:

[dan@bt ~]$ openssl s_client -connect hostname:443 -ssl2
CONNECTED(00000003)
7668:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

If SSLv2 is enabled, the certificate information will be displayed. If you want to check for other versions of the protocol, just change -ssl2 to -ssl3 or -tls1.

Alternatively, if you have Nessus available, you can run plugins 20007 and 26928 to check for deprecated protocol usage and cipher strength.

Disabling SSLv2

Since SSLv2 is a protocol, its use is controlled by the serving application (in this case, a web server). Unfortunately, IIS and Apache still allow it by default, so clients can still negotiate its use when it connects.

IIS

IIS requires some registry entries be modified. The detailed Microsoft Knowledge Base article is in the references, but here is a summary:

  1. Navigate to HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server. If the SSL 2.0 or Server keys don’t exist, create them.
  2. Add a DWORD value titled “Enabled” and leave the value as 0.
  3. Reboot.

Apache

Apache requires editing the SSL configuration in the httpd.conf file. Modifying the SSLProtocol and SSLCipherSuite directives in httpd.conf (or ssl.conf, depending on your installation) will only allow SSL 3.0, TLS 1.0, and strong and medium ciphers:

SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

Then restart the httpd process.

Wrapping it up

I have no idea why new versions of these popular web servers have SSLv2 enabled by default when most modern browsers have support for this 17 year old protocol disabled by default or don’t even offer an option to enable it. Sure, it is nice they left an option to manually enable it on a server to support those ancient clients your customers refuse to give up. But in my opinion, it would have been nice to keep it disabled out of the box, further moving the world away from this deprecated protocol.

If you’re enforcing use of the latest protocols, the next step is to verify that your certificate isn’t using at weak ciphers. The free SSLDigger tool provided by McAfee Foundstone will analyze the cert from any web page and show you which ciphers are supported. Unfortunately, adding new cipher support requires a regeneration of your cert from the authority, but it may be possible to prohibit weaker, undesirable ciphers in you application. For information on how to do that on IIS and Apache, see here and here, respectfully.

References

Ciphers

2 thoughts on “SSLv2, why are you still around?”

Leave a Reply

Your email address will not be published. Required fields are marked *