SSL 2.0 has been known to be unsafe for almost 20 years. In fact, this prompted Netscape to develop a completely redesigned
replacement protocol, SSL 3.0, which it released in early 1996.
Modern browsers don't support SSL 2.0 nor do most SSL/TLS libraries. OpenSSL might be the only major SSL/TLS library that still
supports the protocol by default (
n.b. OpenSSL's default cipher list doesn't include any SSL 2.0 ciphers though many applications
set their own cipher lists). Mozilla's NSS also contains SSL 2.0 support in its code base but, since NSS 3.13, it is disabled by
default and is planned for complete removal in the near term.
Among the protocol's bigger problems:
- The handshake is vulnerable to MiTM attacks
- MAC construction is weak and relies on MD5
- Weak export-grade ciphers weaken MACs
- Same cryptographic key used for message authentication and encryption
- TCP FIN is taken as EOD permitting truncation attacks
For these reasons, disabling SSL 2.0 is one of the OpenSSL recommendations I make in a security/vulnerability
post (note: many
OSes such as Debian, Ubuntu, and OpenBSD build OpenSSL without SSL 2.0).
Caveat utilitor: before making the decision to switch to a non-SSLv2 OpenSSL, it is important to realize things can get a little
messy - Slackware packages that link OpenSSL SSLv2 functions will need to be rebuilt or, possibly, upgraded. A partial list
includes: neon, Python, M2Crypto, curl, php, qt, ruby, wget, fetchmail, stunnel, mailx, httpd.
However, the result is an OS purged of the possibility of unsafe SSL 2.0 usage (at least via OpenSSL).
--mancha
---------
Note: while re-building neon and Python against my SSLv2-less OpenSSL, I realized my personal OpenSSL slackbuild was incorrectly
disabling SSLv2 by defining the
OPENSSL_NO_SSL2 macro rather than using "no-ssl2". This prevented the macro from getting defined
in one of OpenSSL's public headers and became an issue when rebuilding programs because they couldn't detect that SSLv2 wasn't
supported.
I mention this for those who are using my slackbuild (contained in openssl-20140605.tar.bz2). The new
openssl-20140916.tar.bz2
provides a corrected slackbuild along with the latest OpenSSL source code of the relevant branches (i.e. 1.0.1i and 0.9.8zb).