#1  
Old 25th July 2007, 16:15
stirfry stirfry is offline
Member
 
Join Date: Jun 2007
Posts: 37
Thanks: 4
Thanked 0 Times in 0 Posts
Default How to disable SSLv2?

I'm trying to add the following apache directive to one of my sites to prevent the use of SSL version 2.0:

Code:
SSLCipherSuite -SSLv2
I tried adding it in the "Apache Directives (Optional)" field on the "Basics" tab of the site, but I got this: "You cannot assign HTTPD Includes to this website."

I tried editing Vhosts_ispconfig.conf manually, but when I restart Apache, that directive disappears.

It seems to me that ISPConfig should probably write this into the vhosts config file for any sites using SSL as a security measure. In the meantime does anyone have any ideas for disabling SSLv2?
Reply With Quote
Sponsored Links
  #2  
Old 26th July 2007, 10:49
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

You cabn change the ISPConfig function named make_vhost in the file /root/ispconfig/scripts/lib/config.lib.php
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
stirfry (27th July 2007)
  #3  
Old 27th July 2007, 16:58
stirfry stirfry is offline
Member
 
Join Date: Jun 2007
Posts: 37
Thanks: 4
Thanked 0 Times in 0 Posts
Default

You guys rock! Thanks! I'm very impressed with both ISPConfig, and the level of support you, Falko, and the rest of the community provide on the forums.

I had the directive syntax munged in my original post for this thread. In case anyone wants to disable SSLv2 (has known vulnerabilities), this is what I added after the "SSLEngine on" directive in the make_vhost function:

Code:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
Just out of curiosity, is there a reason I was not able to add this directive through ISPConfig's "Apache Directives (Optional)" field for the site?
Reply With Quote
  #4  
Old 28th July 2007, 10:10
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,711
Thanks: 1,899
Thanked 2,702 Times in 2,545 Posts
 
Default

Quote:
Originally Posted by stirfry
Just out of curiosity, is there a reason I was not able to add this directive through ISPConfig's "Apache Directives (Optional)" field for the site?
If you use that field, the directives will be added to the non-SSL vhost, too, which of course results in a syntax error.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to disable clamAV globally? itwillcome Installation/Configuration 9 31st May 2008 16:37
Disable SSL on the ISPConfig Apache server lespaul49 Installation/Configuration 1 24th July 2007 14:15
Disable Modules mark.b Installation/Configuration 3 25th November 2006 10:44
Disable web server andypl Installation/Configuration 1 26th June 2006 08:40
disable 2.6 kernel modules during bootup ryoken Installation/Configuration 3 16th February 2006 06:37


All times are GMT +2. The time now is 19:48.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.