Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: pschwarz1978
pschwarz1978 Author
User level: Level 1
0 points

How can I disable SSLv2 on OS X 10.8.5 server

After running a Nessus scan we get the following finding:


SSL Version 2 (v2) Protocol Detection

This script is Copyright (C) 2005-2013 Tenable Network Security, Inc.


Synopsis :


The remote service encrypts traffic using a protocol with known
weaknesses.


Description :


The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.


See also :


http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2


Solution :


Consult the application's documentation to disable SSL 2.0 and use
SSL 3.0, TLS 1.0, or higher instead.


Risk factor :


Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)



I cannot find where or how to disable SSLv2? Please help.

Mac Pro, OS X Mountain Lion (10.8.5), OD Server

Mac Pro, OS X Mountain Lion (10.8.5), OD Server

Posted on Apr 2, 2014 4:39 AM

Reply
1 reply
User profile for user: MrHoffman
MrHoffman
Community+ 2024
User level: Level 10
116,733 points

Apr 2, 2014 7:47 AM in response to pschwarz1978

AFAIK, there's no easy way to move to TLS 1.2 with OS X or OS X Server, short of replacing hunks of the operating system and application environment — it's both the library version and the application itself that decide which SSL/TLS versions to use, and some can be configured and some don't offer the higher-security options.


TLS 1.2? TLS implementations prior to 1.2 (this includes TLS 1.1, TLS 1.0, SSL 3.0, SSL 2.0, and SSL 1.0, in descending order of relative age and security) all have known weaknesses, and this Tenable scan would likely flag those versions, too.


Libraries? OS X and OS X Server 10.9.2 ship with OpenSSL 0.9.8y 5 Feb 2013, and AFAIK OpenSSL first shipped TLS 1.2 support with their OpenSSL 1.0.1 release — so there's an OpenSSL library upgrade/relacement and rebuilding stuff to use that which would be part of this work, and AFAIK the APIs changed between those to releases. That's going to be no small project.


Background: The client and the server negotiate which SSL or TLS version will be used. Properly coded iOS 5 and later clients default to TLS 1.2, but will downgrade that, depending on the target.


As for the server, how much do you want to learn about manually configuring Apache and other SSL-based connections?


Here's a related previous discussion with some information related to Apache — I'd guess this is the target for that test Tenable test. Here's another discussion.


SSL Labs has available a Server test and a client (browser) test.


Be prepared for a project that might approach a platform migration for whatever is using SSL/TLS here, and needs TLS 1.2. If that's not feasible in your environment, you'll probably want to send an enhancement request along to Apple asking for TLS 1.2 support in whatever network-facing application(s) you're using here.

Reply

How can I disable SSLv2 on OS X 10.8.5 server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up