Hey all, we had a 3rd party company come in to check security, etc. and the only thing that showed up as a medium risk was the following;
Quote:
SSLv2 Supported:
This SSL service supports SSLv2 connections. SSLv3 has known cryptographic weaknesses. Secure web applications should only enable the SSLv3 or TLSv1 protocols.
|
They suggest disabling the use of SSL2 if possible, but I am not sure where to look.
The box uses SSL for secure transactions, but I am not familiar with just 'disabling' v2 and allowing 3, is this an apache change somewhere, a simple conf file change, etc.
I did find an idea googling, and in an included httpd-ssl.conf file found;
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
It can't be something as simple as changing that v2 to v3 is it?
Thanks for any replies.