Disabling sslv2 on ACE

Similar Messages

• How to Disable SSLv2 in Oracle IAS 10.1.3

  How to disable SSLV2 in Oracle IAS 10.1.3.. I added below in ssl.conf file.. But it is not working...
  SSLProtocol -ALL SSLv3 TLSv1
  SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
  Thanks
  Lalitha

  How can you have WebCache if you are using 10.1.3 version?
  The cause of this problem has been identified and verified in an unpublished Bug 4761833 : "IE FAILS TO TO CONNECT TO WEBCACHE VIA SSL IF SSLV2.0 IS NOT SELECTED".
  By default Webcache sets its SSL_ENABLED parameter in webcache.xml to: SSLV3_V2H
  This supports only SSL V2.0 and SSLV3.0 and not TLSV1.0
  When IE makes a connection with: SSL V2.0, SSLV3.0, TLSV1.0 all checked, an Ethereal sniff shows:
  SSLV2 Client Hello
  SSLV3 Server Hello
  When IE makes a connection with: SSLV3.0, TLSV1.0 checked, SSL v2.0 unchecked, an Ethereal sniff shows:
  TLSV1 Client Hello
  SSLV3 Alert (Level: Fatal, Description: Unexpected Message)
  When Firefox makes a connection with SSLV3.0, TLSV1.0 checked, SSL v2.0 unchecked an Ethereal
  sniff shows:
  SSLV2 Client Hello
  SSLV3 Server Hello
  So even though SSLV2.0 is unchecked it still makes the initial Client Hello via SSLV2.0 hence why Mozilla works
  The reason why IE fails when SSLV2.0 is unchecked is because IE always uses what it considers to be the best Protocol and picks TLSV1.0, and as the default SSL_ENABLED parameter in Webcache does not support TLS V1.0, then it fails.
  Solution
  To implement the solution, execute the following steps:
  1. Edit the $ORACLE_HOME/webcache/webcache.xml
  For the SSL Listen entry e.g:
  <LISTEN IPADDR="ANY" PORT="443" SSLENABLED="SSLV3_V2H" PORTTYPE="NORM">
  Change:
  "SSLV3_V2H"
  to
  "SSL"
  2. Save the file and restart webcache, and then test you can access Webcache via SSL with SSLV2.0 unchecked
  Hope this helps
  Regards.

• How can I disable SSLv2 on OS X 10.8.5 server

  After running a Nessus scan we get the following finding:
  SSL Version 2 (v2) Protocol Detection
  This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.
  Synopsis :
  The remote service encrypts traffic using a protocol with known
  weaknesses.
  Description :
  The remote service accepts connections encrypted using SSL 2.0, which
  reportedly suffers from several cryptographic flaws and has been
  deprecated for several years. An attacker may be able to exploit
  these issues to conduct man-in-the-middle attacks or decrypt
  communications between the affected service and clients.
  See also :
  http://www.schneier.com/paper-ssl.pdf
  http://support.microsoft.com/kb/187498
  http://www.linux4beginners.info/node/disable-sslv2
  Solution :
  Consult the application's documentation to disable SSL 2.0 and use
  SSL 3.0, TLS 1.0, or higher instead.
  Risk factor :
  Medium / CVSS Base Score : 5.0
  (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
  I cannot find where or how to disable SSLv2? Please help.

  You should post in the server forum, that's where the experts are.
  https://discussions.apple.com/community/servers_enterprise_software?view=overvie w

• Disabling SSLv2 with Exchange 2010 - potential problems

  This question is not about how to disable SSLv2, that's very simple.  The question is whether there is anything to consider before doing it.  Is it likely to break anything in Exchange 2010 - Outlook Anywhere, CAS communications, OWA?

  While this is probably something that has not been explicitly tested, chances are that it should not negatively impact Exchange. That said I will ask you to test and validate in your lab!
  You are going to have to ensure that all devices, applications and services that connect all support the changed cipher suites.  Some old phones may not (I don't have a list to share), so that is why validation with your specific kit is critical.
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Disable SSLv2 in Leopard

  Hi,
  Trying to disable SSLv2 in Leopard server. (Found the answer for 10.4 and verified system wide) I don't see any documentation in the security, server docs, OD, or anything else I've found. Can anyone help with this?
  Thanks.

  It's configured within your site's .conf file (typically in /etc/apache2/sites if you're running Apache 2).
  However, you probably don't need to worry. The default looks like:
  SSLCipherSuite "ALL:!ADH:RC4RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:eNULL"
  You'll note SSLv2 is disabled.

• Running Lion 10.7.5, how to disable sslv2 and use only RC4 ciphers to solve vulnerability found in PCI compliance vulnerability scan.

  This is what the scan report told me to do. Is this even a problem that can be solved in a browser? I have akamai installed on my mac and they say that may be giving a false problem concerning the sslv2. I have no idea how to change the ciphers used.

  ATT says the modem for household use that I have cannot be configured to use the more secure CR4 cipher and disable sslv2 settings. Says I need to get a modem designed for business network use. What a nightmare. All I do is go to a pay gateway website and enter in my customer's credit card numbers, which then is deposited into my bank account. Seems this is the same as any credit card purchase I would make online and that ATT should have security for those transactions covered already. The pay gateway site does use CR4, but the scan has failed me because apparently my modem does not. I am not operating an e-commerce website. (I meant to say false POSITIVE in my question above, not false problem.)

• How to disable sslv2 on windows server 2008 r2

  we are getting alerts from our third party application regarding the vulnerability error in our doamin.they mentiojn the following  vulnerability message
  Abp

  https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Disabling SSL2 in WebLogic 10.3 not working correctly

  Hey,
  I am trying to disable SSLv2 completely within WebLogic and am using the information contained here (http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/ssl.html#wp1194346) and have specifically sure I'm using jsafeFIPS.jar and the "-Dweblogic.security.SSL.nojce=true" argument. I want to allow ONLY TLS and SSLv3 communication. Unfortunately, when I attempt to test this setup by forcing my browser to attempt a connection over SSL2 (and any available cipher), WebLogic will still allow me to initiate a connection and exchange certificates. To be clear, that means the packet flow looks like this when I try https://server/:
  ME-SERVER: SYN
  SERVER-ME: SYN,ACK
  ME-SERVER: ACK
  (the stuff above is just the TCP stream initiation)
  ME-SERVER: SSLv2 Client Hello (with my list of ciphers in here of course)
  SERVER-ME: ACK
  SERVER-ME: SSLv2 Server Hello (and it shows 2 cipher specs -- in the SSL2 space, and it provides my certificate)
  ME-SERVER: ACK
  ME-SERVER: SSLv2 Client Master Key (I choose to use one of the ciphers we both have)
  SERVER-ME: ACK
  (the stuff below is the tear down of the TCP stream)
  SERVER-ME: FIN,ACK
  ME-SERVER: ACK
  ME-SERVER: FIN,ACK
  The problem here is that I don't want WebLogic to walk down the path of offering ciphers it knows it will immediately reject. And I'd prefer it not even respond when SSLv2 hellos are offered. I'm lost at this point -- is this something WebLogic can do?

  I just wanted to add one more thing here: the functionality on the SSL-based node manager is even worse. Here's how that packet flow appears. The thing to focus on here is that the tear down of the TCP stream is actually initiated by me and not by the server. I'm using a browser to test this, so it looks like the browser is trying to make something happen and then timing out. To be clear, it takes me almost exactly 30 seconds before I tear down my side of this TCP session (probably a timeout).
  ME-SERVER: SYN
  SERVER-ME: SYN,ACK
  ME-SERVER: ACK
  (the stuff above is just the TCP stream initiation)
  ME-SERVER: SSLv2 Client Hello (with my list of ciphers in here of course)
  SERVER-ME: ACK
  SERVER-ME: SSLv2 Server Hello (and it shows 2 cipher specs -- in the SSL2 space, and it provides my certificate)
  ME-SERVER: ACK
  ME-SERVER: SSLv2 Client Master Key (I choose to use one of the ciphers we both have)
  SERVER-ME: ACK
  (the stuff below is the tear down of the TCP stream)
  ME-SERVER: FIN,ACK
  SERVER-ME: ACK
  SERVER-ME: FIN,ACK
  ME-SERVER: ACK

• PCI compliance, need to disable SSL version 2

  I'm running OS X 10.7.2 and I recently failed my PCI compliance scan.  I was informed that I have SSLv2 and SSLv3 and that I need to disable SSLv2.  The company that performs the scan says that they can't help me do it and that I should call my ISP, ATT Uverse.  I've done this and spent several hours being bounced around and they don't seem to understand what I'm talking about or how to fix it.  So...my questions is how can I disable SSLv2?? I'm not very "code" savy so if you could walk me throught the steps that would be very helpful.  I really don't wnat to try tech support with ATT again!  TIA

  Launch the Terminal application by entering the first few letters of its name into a Spotlight search. Drag or copy -- do not type -- the following line into the window, then press return:
  launchctl list | sed 1d | awk '!/0x|com\.apple/ {print $3}'
  Post any lines of output that appear below what you entered -- the text, please, not a screenshot.

• SSLv2 & Broadcasting AP Name Cisco 5508

  Hi,
  We had a pen test completed on our wireless network recently and two elements that came out of it that surprised me were the following:
  The guest wireless portal is using SSLv2 and they recommend that we use SSLv3.  I haven't been able to see anywhere if this can be changed or checked for current version.  Is it possible to upgrade?
  The second item was with regards the broadcasting of the SSID.  When the SSID is broadcasting the administrative name of the LAP's is visible using wireshark.  Is there a setting to hide these within the controller or is the only option to rename all the LAP's to something simple like AP1?
  Cheers
  Brian

  Steve:
  Thanks for your useful info as usual.
  What you metnioned is not available under the management tab. It is only available form CLI.
  It is not mandatory to use "high". you can simply disable SSLv2 to be be able to use only SSLv3 or higher.
  Here is the link from config guide: http://tiny.cc/k9jlcw.
  But config guide does not make it clear.
  It says that disabling SSLv2 will make it only possible to use SSLv3. (it did not mention that the "high" cipher should be enabled).
  Brian you may check it if it is going to work if SSLv2 is disabled and "high" is disabled as well. Check please and let us know if it is going to use SSLv3 or you necessarily need to configure the "high" as well.
  Amjad

• SSLv2Hello support with SunPKCS11/NSS in FIPS mode

  Does anyone know if there is a way to enable support for SSLv2Hello when the JRE is configured to use a FIPS crypto module?
  I have an NSS database running in FIPS mode, plugged into my JRE via the following lines in my java.security file:
  security.provider.1=sun.security.pkcs11.SunPKCS11 C:/nss-pkcs11-test/nss-pkcs11.cfg
  security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSSFIPS
  nss-pkcs11.cfg:
  name=NSSFIPS
  nssLibraryDirectory=C:\nss-3.11.4\lib
  nssSecmodDirectory=C:\nss-pkcs11-test
  nssDbMode=readOnly
  nssModule=fipsand keystore/truststore config in the SSL connector in Tomcat's server.xml:
      <!-- TEST NSS PKCS11 MODULE -->
      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150" scheme="https" secure="true"
               keystoreFile=""
               keystoreType="PKCS11"
               keystoreProvider="SunPKCS11-NSSFIPS"
               keystorePass="nsspassword"
               truststoreFile=""
               truststoreType="PKCS11"
               truststoreProvider="SunPKCS11-NSSFIPS"
               truststorePass="nsspassword"
                 clientAuth="true" sslProtocol="TLS" />I've tried setting -Dhttps.protocols=TLSv1,SSLv2Hello, but that doesn't seem to make any difference. Currently the only way I can get things working is to disable SSLv2 in the browser, which is less than ideal in terms of user base support. Without SSLv2 disabled in the browser, I see the following error in my logs and am unable to establish the SSL connection with the server:
  http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
  I understand that SSLv2 is not (and should not be) supported in FIPS mode, but it seems like when you have a browser client that supports TLS but sends an SSLv2Hello by default, the server (in my case, Tomcat 6 using the aforementioned JRE) should be smart enough to renegotiate the connection to TLS.
  Any thoughts would be appreciated!

  The browser should have disabled SSLv2Hello by default in the latest releases, because SSLv2 is prohibited now. "TLS clients MUST NOT send the SSL version 2.0 compatible CLIENT-HELLO message format." [RFC6176]

• Cisco serie 5500 wireless controller

  Hi,
  We got a cisco serie 5500 wireless controller, software 7.4.110.0. our ssl certicate expired into 2 weeks, we purchase a new one but the SH1 fingerprint is not any more supported and now we must apply SH2. does our controller support SH2?
  Thanks and kind regards

  Yes, WLC supports SH2.
  If you do not want users to connect to a web page using a browser that is configured with SSLv2 only, you can disable SSLv2 for web authentication by entering the config network secureweb cipher-option sslv2 disable command. If you enter this command, users must use a browser that is configured to use a more secure protocol such as SSLv3 or later releases. The default value is enabled

• OHS12c on windows with TLSv1.2 enabled does not help to load the application on IE

  Hi Guys,
  I need your expertise in the below query.
  Lately we were advised to disable SSLv2 and SSLv3 and only use the current best TLS1.x on our Web tier.
  1.I have an OHS 11g which proxy passes the request to weblogic
  2. Since we know that OHS11g does not support TLS 1.1 and TLS1.2 and only supports TLS 1.0 , we installed OHS12c [ which supports the stated protocols ] and
  3. OHS 12c would proxy pass all its request to OHS 11g
  3. But the problem is the default OHS 12 c has the below SSL setting :
     #  SSL Protocol Support:
     #  List the supported protocols.
     SSLProtocol nzos_Version_1_2 nzos_Version_1_1 nzos_Version_1_0
     #  SSL Cipher Suite:
     #  List the ciphers that the client is permitted to negotiate.
     SSLCipherSuite    SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  4. The above settings makes the application not work  on IE !! but works in other browser.
  Please advise what is the global /standard OHS12 cipher combination to be used.
  Thanks,
  Parin

  Hi Guys,
  I need your expertise in the below query.
  Lately we were advised to disable SSLv2 and SSLv3 and only use the current best TLS1.x on our Web tier.
  1.I have an OHS 11g which proxy passes the request to weblogic
  2. Since we know that OHS11g does not support TLS 1.1 and TLS1.2 and only supports TLS 1.0 , we installed OHS12c [ which supports the stated protocols ] and
  3. OHS 12c would proxy pass all its request to OHS 11g
  3. But the problem is the default OHS 12 c has the below SSL setting :
     #  SSL Protocol Support:
     #  List the supported protocols.
     SSLProtocol nzos_Version_1_2 nzos_Version_1_1 nzos_Version_1_0
     #  SSL Cipher Suite:
     #  List the ciphers that the client is permitted to negotiate.
     SSLCipherSuite    SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  4. The above settings makes the application not work  on IE !! but works in other browser.
  Please advise what is the global /standard OHS12 cipher combination to be used.
  Thanks,
  Parin

• How to add ssl to webcache  10.1.3

  Hi
  We are running oracle webcache 10.1.3 on Solaris connecting to OracleHTTPServer-->OC4J .Now,We have installed a SSL certificate on oracle wallet.
  When we are trying to access the server from chrome, we get Error 113 (net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH): Unknown error.
  We changed webcache.xml and disabled SSLV2,
  <LISTEN IPADDR="ANY" PORT="443" SSLENABLED="SSL" PORTTYPE="NORM">
  Also changed httpd.conf at OracleHTTPServer,
  <IfModule mod_ossl.c>
  # SSLOptions +StdEnvVars
  SSLOptions ExportCertData StdEnvVars
  </IfModule>
  Still does not work.Any idea how to get SSL up on Webcache 10.1.3.
  Thanks
  AK

  FOR HISTORY
  Oracle does not support wild-carding certificares (wildcards)!!!
  Here is a FAQ from metalink:
  Per Metalink Note:291774.1:
  Question 2:
  Using the same SSL certificate for multiple Name-Based Virtual Hosts is
  sometimes used on the Internet. This is referred to as 'certificate
  sharing', or 'wild-carding certificates', and requires a special
  certificate from the Certificate Authority. Is this supported?
  Answer 2:
  No, sharing certificates for multiple Name-Based Virtual Hosts is not
  supported by Oracle. The use of wildcard certificates could compromise
  security, and are not compatible with OWM. If there is a business need
  for this, please file an Enhancement Request.

• SSLV3 poodle on WLC 2100

  Hi everyone,
  Seems as per cisco all WLC --5500/2100 etc are effected by sslv3.
  Need to know if there is any config change that can be done without doing version upgrade?
  Regrads
  Mahesh

  If you do not want users to connect to a web page using a browser that is configured with SSLv2 only, you can disable SSLv2 for web authentication by entering the config network secureweb cipher-option sslv2 disable command. If you enter this command, users must use a browser that is configured to use a more secure protocol such as SSLv3 or later releases. The default value is disabled.