> From: Philip Guenther [mailto:[email protected]] > To: Stuart VanZee > Cc: Openbsd Misc (E-mail) > Subject: Re: ssl v2 question > > > On Wed, Feb 4, 2009 at 6:21 AM, Stuart VanZee > <[email protected]> wrote: > ... > > So the question is. How do I prove that our https server doesn't > > provide support for sslv2? > > First, you disable it per Otto's email. Then, you run a > script like this: > > #!/bin/sh > openssl ciphers -v | > while read cipher version other; do > printf 'HEAD / HTTP/1.0\n\n' | > openssl s_client -connect 127.0.0.1:443 -cipher $cipher \ > -ssl${version##*v} -quiet 2>&1 | > grep HTTP >/dev/null && echo $version $cipher > done > > > That'll report the SSL protocol version and cipher suite combos that > it supports for the root page. (In openssl, the cipher suites for TLS > are the same as for SSLv3, so that script only reports SSLv3 for > both.) > > > Philip Guenther >
Thank you everyone for the replies. With the information provided by Marc Espie, Otto Moerbeek, Dennis Davis, Philip Guenther and a few others I was able to get my https server configured correctly and as a bonus, I was able to find enough info that I was able to understand what I was doing rather that just blindly following a how-to or someone's directions. I ended up with: SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM As the settings in httpd.conf and was able to verify the results using the script that was provided by Philip. Again, thank you all for the wonderful help. s
