My server got an audit for PCI compliance and was red-flagged for allowing SSL2 connections, which they have some problem with. They want the server to use SSL3 or TLS:

"Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man- in-the-middle attacks or decrypt communications between the affected service and clients. See also : Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See kb/216482 for instructions on IIS. See 2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) "

They want me to do this for https, imaps, and pop3s protocols...

Before I dig into this, I was wondering, is this even possible? Will anything break as a result?

-- John

_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to