[aklug] Re: If you are still running SSLv2, you should disable it ASAP

From: Royce Williams <royce@tycho.org>
Date: Tue Mar 01 2016 - 06:31:33 AKST

Convenience list of what I know of:

http://www.techsolvency.com/tls/sslv2.csv

1222 hosts, all over the map.

Royce

On Tue, Mar 1, 2016 at 6:05 AM, Royce Williams <royce@tycho.org> wrote:
> A new attack makes all servers running SSLv2 vulnerable.
>
> https://drownattack.com/
> http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html
>
> Strongly recommend that you move to disable SSLv2 on affected systems.
> Disabling SSLv2 is the best and fastest remedy, and likelihood of
> impact of doing so is very, very low - all clients in the past decade
> support TLS 1.0 as well.
>
> Use this tool to make it easier on IIS:
>
> https://www.nartac.com/Products/IISCrypto
>
> In Apache, assuming mod_ssl:
>
> SSLProtocol all -SSLv2 -SSLv3
>
> Search for your affected domains here (working on an updated version ASAP)
>
> http://www.techsolvency.com/tls/
>
> ... and use the search box for classful searches for your IP space,
> your domains, or "SSLv2 on"
>
> Note that the attack works even if SSLv2 is "soft disabled" by
> disabling all SSLv2 ciphers.
>
> Royce

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

Received on Tue Mar 1 04:49:44 2016

This archive was generated by hypermail 2.1.8 : Tue Mar 01 2016 - 04:49:44 AKST