Home page logo

webappsec logo WebApp Sec mailing list archives

Re: SSL 2.0 enabled or disabled?
From: Ralf Durkee <rd () rd1 net>
Date: Wed, 19 May 2004 05:51:09 -0400

At 07:13 PM 5/18/2004 -0700, Ooper Starr wrote:
Given all the vulnerabilities with SSL 2.0, do most people disable SSL 2.0 on their servers or are there concerns of potential loss of consumers that may only have clients that support 2.0 who use the application? IE's defaults are SSL 2.0 & 3.0 enabled and TLS 1.0 disabled. Any good papers about this topic?

As you suggest SSLv2 should be disabled as it is vulnerable. It can be disabled without concern for loss of customers. I have been requiring or recommending (depending on my role) disabling SSLv2 for several years, at least since late 2000, as all of the browsers support sslv3 or better. I've always found it curious that IE disables TLSv3 by default, I suspect the MS decision maker just didn't know what TLS was. Most of the servers I have reviewed or audited for the first time, do not disable SSLv2 at least until after the first review. I also recommend disabling SSLv2 on the client browser and enabling SSLv3 and TLSv1. I have only found 2 web servers since 2000 that didn't support SSLv3 or TLSv1. Although when IE encounters a server that doesn't support it's required versions, it will just sit there and "spin" when it can't complete the handshake, there's no error message given.

-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]