On Wed, Feb 04, 2009 at 09:21:49AM -0500, Stuart VanZee wrote:
> I am sorry if this seems like a dumb question.
>
> Recently my boss has been informed that supporting SSL Version 2
> would make us non-compliant with PCI (Payment Card Industry)
> certification. My guess would be that (being on top of such things)
> OpenBSD's httpd probably doesn't use sslv2 since, from what I have
> read, there are known issues with it. But that is a GUESS, not a
> KNOW, and as usual, the boss wants some kind of proof.
>
> I didn't see anything on this subject in the FAQ. I looked in the
> man pages for ssl, openssl, httpd, and anything else I could think
> of and they look like sslv2 IS supported but I couldn't figure out
> if it was used or not. I googled, but was overwhelmed with info
> about sslv2 stuff from way back in 3.9 and couldn't find anything
> newer (yes, my google foo needs work I'm sure).
>
> So the question is. How do I prove that our https server doesn't
> provide support for sslv2?
>
> Stuart van Zee
> [email protected]
SSLProtocol and/or SSLCipherSuite contain the answer. They are
described in the included httpd documentation.
AFAIk, by default SSLv2 is supported, but it can be switched off quite
easyily.
-Otto
