WebApp Sec: Re: SSL 2.0 enabled or disabled?

["Blane Perry" <perrybl () michigan gov>]

Does anyone know of a tool that can scan a web server to determine which
version of SSL is being used?  nmap?  nessus?


> > > Ralf Durkee <rd () rd1 net> 05/19/04 05:51AM >>>
At 07:13 PM 5/18/2004 -0700, Ooper Starr wrote:
> > Given all the vulnerabilities with SSL 2.0, do most people disable
SSL 2.0 
> > on their servers or are there concerns of potential loss of consumers
that 
> > may only have clients that support 2.0 who use the application?  IE's
> > defaults are SSL 2.0 & 3.0 enabled and TLS 1.0 disabled.  Any good
papers 
> > about this topic?
> > ____________________________________________________________
> As you suggest SSLv2 should be disabled as it is vulnerable. It can be
> disabled without concern for loss of customers. I have been requiring
or 
> recommending (depending on my role) disabling SSLv2 for several years,
at 
> least since late 2000, as all of the browsers support sslv3 or better.
I've 
> always found it curious that IE disables TLSv3 by default, I suspect
the MS 
> decision maker just didn't know what TLS was. Most of the servers I
have 
> reviewed or audited for the first time, do not disable SSLv2 at least
until 
> after the first review.  I also recommend disabling SSLv2 on the
client 
> browser and enabling SSLv3 and TLSv1. I have only found 2 web servers
since 
> 2000 that didn't support SSLv3 or TLSv1.  Although when IE encounters
a 
> server that doesn't support it's required versions, it will just sit
there 
> and "spin" when it can't complete the handshake, there's no error
message 
> given.
-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant
http://rd1.net