How to disable SSLv2?

Discussion in 'Installation/Configuration' started by stirfry, Jul 25, 2007.

  1. stirfry

    stirfry New Member

    I'm trying to add the following apache directive to one of my sites to prevent the use of SSL version 2.0:

    Code:
    SSLCipherSuite -SSLv2
    I tried adding it in the "Apache Directives (Optional)" field on the "Basics" tab of the site, but I got this: "You cannot assign HTTPD Includes to this website."

    I tried editing Vhosts_ispconfig.conf manually, but when I restart Apache, that directive disappears.

    It seems to me that ISPConfig should probably write this into the vhosts config file for any sites using SSL as a security measure. In the meantime does anyone have any ideas for disabling SSLv2?
     
  2. till

    till Super Moderator

    You cabn change the ISPConfig function named make_vhost in the file /root/ispconfig/scripts/lib/config.lib.php
     
  3. stirfry

    stirfry New Member

    You guys rock! Thanks! I'm very impressed with both ISPConfig, and the level of support you, Falko, and the rest of the community provide on the forums.

    I had the directive syntax munged in my original post for this thread. In case anyone wants to disable SSLv2 (has known vulnerabilities), this is what I added after the "SSLEngine on" directive in the make_vhost function:

    Code:
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
    
    Just out of curiosity, is there a reason I was not able to add this directive through ISPConfig's "Apache Directives (Optional)" field for the site?
     
  4. falko

    falko Super Moderator

    If you use that field, the directives will be added to the non-SSL vhost, too, which of course results in a syntax error.
     

Share This Page