I am in the process of disabling SSLv2 and associated protocols for PCI compliance. I have followed all mentioned steps from the following sites:
We are running in a mixed environment with both Win Server 2003 Ent as well as Win Server 2008 Ent R2 versions on all. I keep failing PCI compliance scan running Qualys.
Scan results are as follows for all servers regardless of OS type:
QID:38139Category:General remote servicesCVE ID:-Vendor Reference-Bugtraq ID:-Service Modified:07/07/2009User Modified:-Edited:NoPCI Vuln:YesCVSS Base:4CVSS Temporal:3.6THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages.
These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular Web servers, mail servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility.
The following link provides more information about this vulnerability:
Analysis of the SSL 3.0 Protocol
IMPACT:An attacker can exploit this vulnerability to read secure communications or maliciously modify messages.SOLUTION:Disable SSLv2.
Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:
SSLProtocol -ALL +SSLv3 +TLSv1
For Apache/apache_ssl, httpd.conf or ssl.conf should have the following line:
How to disable SSLv2 on IIS : Microsoft Knowledge Base Article - 187498
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll : Microsoft Knowledge Base Article - 245030
Ports that are failing are 443 and 4443. Any suggestions and is there anyone else still failing scans after making the changes to disable.
Any help would be appreciated!! Thanks in advance!