Secure Socket Layer (SSL) version 2 is considered weak cryptography in this aspect. To disabled SSLv2 and enable SSLv3. Assuming you already have OpenSSL installed, you can use another remote server to test the https connections
# openssl s_client -ssl2 -connect remote_server:443
If your server does not support SSLv2, you should receive the following error
CONNECTED(00000003) 22255:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
If your server is enabled to supports SSLv2 connections, the connection will be accepting input
CONNECTED(00000003)
To use SSLv3 and TLSv1, you have to modify the following at SSLCipherSuite directive in the httpd.conf or /etc/httpd/conf.d/ssl.conf file. In the example, you can do the following
#SSLProtocol all -SSLv2 SSLProtocol -all +SSLv3 +TLSv1On my /etc/httpd/conf.d/ssl.conf
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For more information,see
- How to Disable SSLv2 and Weak Ciphers(PCI Compliance (http://almamunbd.blogspot.com)
- How to Disable SSLv2 and Weak Ciphers(PCI Compliance (http://www.srcnix.com)