On Wed, Feb 04, 2009 at 09:21:49AM -0500, Stuart VanZee wrote:
> I am sorry if this seems like a dumb question.
>
> Recently my boss has been informed that supporting SSL Version 2
> would make us non-compliant with PCI (Payment Card Industry)
> certification. My guess would be that (being on top of such things)
> OpenBSD's httpd probably doesn't use sslv2 since, from what I have
> read, there are known issues with it. But that is a GUESS, not a
> KNOW, and as usual, the boss wants some kind of proof.
>
> I didn't see anything on this subject in the FAQ. I looked in the
> man pages for ssl, openssl, httpd, and anything else I could think
> of and they look like sslv2 IS supported but I couldn't figure out
> if it was used or not. I googled, but was overwhelmed with info
> about sslv2 stuff from way back in 3.9 and couldn't find anything
> newer (yes, my google foo needs work I'm sure).
>
> So the question is. How do I prove that our https server doesn't
> provide support for sslv2?
There are sslv2 parts which are completely outdated (unsafe ciphers,
and generally disabled).
You should ask your boss to get the full report. He's probably misinformed,
and there might be some "rule of thumb" policy that says that, since some
SSLv2 stuff is not so sure, it's simpler for stupid people to just disable
SSLv2 entirely...
Baring that, have a closer look at OpenBSD's httpd.conf, there's a
whole paragraph that deals with ssl issues, and specifically what kind of
ssl connections you accept or refuse.
Stuff like:
#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
and more specifically:
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
