RE: [Fed-Talk] Disabling sslv2 in server admin
RE: [Fed-Talk] Disabling sslv2 in server admin
- Subject: RE: [Fed-Talk] Disabling sslv2 in server admin
- From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
- Date: Tue, 24 Feb 2009 06:55:59 -0800
- Thread-topic: [Fed-Talk] Disabling sslv2 in server admin
That is what I was afraid of.
Thanks Erik!
-----Original Message-----
From: van Bronkhorst, Erik W. (CHLK)
Sent: Monday, February 23, 2009 15:17
To: Losasso, Jonathan E IT3 CCG, N63
Subject: Re: [Fed-Talk] Disabling sslv2 in server admin
I just dl'ed server admin, opened with pacifist and grep'd the whole thing.
I don't see any way.
My SWAG is it will require recompile by Apple.
Erik
--
Code 471600D Erik van Bronkhorst
NAVAIRWARCENWPNDIV
1900 N KNOX ROAD STOP 6510 bldg 00005 rm 2015 China Lake CA 93555-6106
> From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
> Date: Mon, 23 Feb 2009 14:43:38 -0800
> To: <email@hidden>
> Subject: RE: [Fed-Talk] Disabling sslv2 on ssh
>
> That would be a nice option however we are actually using server admin to
> manage multiple servers. Worst case scenario we could disable 311,
therefore
> disabling server admin. Only problem with that is making changes to our
> other servers would require a lot more work. It's a solutin just a dirty
> one.
>
> Thanks for all your help
>
> -----Original Message-----
> From: van Bronkhorst, Erik W. (CHLK)
> Sent: Monday, February 23, 2009 14:36
> To: Losasso, Jonathan E IT3 CCG, N63
> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>
> can you just disable port 311 or are you actually using server admin ?
> --
> Code 471600D Erik van Bronkhorst
> NAVAIRWARCENWPNDIV
> 1900 N KNOX ROAD STOP 6510 bldg 00005 rm 2015 China Lake CA 93555-6106
>
>
>
>> From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
>> Date: Mon, 23 Feb 2009 14:30:07 -0800
>> To: <email@hidden>
>> Subject: RE: [Fed-Talk] Disabling sslv2 on ssh
>>
>> Tim - We are running the latest version of openssl 0.9.8j, had to compile
> on
>> my own as apple is sometimes slow to release updates, so not exactly the
>> version that ships with leopard.
>>
>> Erik - That does help a lot actually. However it seems the article is
> geared
>> more towards web server. I guess I am really not explaining the issue
>> clearly enough. So I will try to take one more stab at it. We are not
>> running a web server, the only services that are running that use SSL is
> the
>> 'server admin' tool which listens on port 311. I am currently trying to
>> track down a conf file so I can disable sslv2 which it seems bent on
> using.
>> Originally I was trying to disable sslv2 system wide which doesn't seem
>> possible and/or would break server admin. I can't seem to locate the conf
>> file that server admin uses nor any start up scripts that show it being
>> loaded.
>>
>> -jonathan
>>
>> -----Original Message-----
>> From: Miller, Timothy J. [mailto:email@hidden]
>> Sent: Monday, February 23, 2009 13:58
>> To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
>> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>>
>> On 2/23/09 3:20 PM, "Losasso, Jonathan E IT3 CCG, N63"
>> <email@hidden> wrote:
>>
>>> Rex is correct about ssh, in my haste I was under the wrong impression
>>> that ssh used ssl as a backbone for encryption.
>>>
>>> My problem is with ssl, specifically openssl that ships with Leopard.
>>> In order to be compliant with DoD standards (which uses retina) I am
>>> trying to disable sslv2 and force sslv3 instead. In a perfect world I
>>> would be able to disable ssl completely, yet as we all know nothing is
>>> perfect :) . It seems the server admin tool uses openssl on port 311
>>> which is using v2. So you can see my need to force v3 if at all
>>> possible. Any documentation floating around on this?
>>
>> You have a more fundamental problem: The version of OpenSSL that ships
> with
>> OS X does not include the FIPS 140-2 certified module.
>>
>> -- Tim
>>
>> -----Original Message-----
>> From: van Bronkhorst, Erik W. (CHLK)
>> Sent: Monday, February 23, 2009 13:59
>> To: Losasso, Jonathan E IT3 CCG, N63
>> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>>
>> http://www.macosxhints.com/article.php?story=20041129143420344
>> does this help?
>>
>> make sure to note the entry titled
>> A better SSLCipherSuite
>>
>> By: MartySells on Fri, Dec 3 2004 at 11:21PM PST The original hint had:
>> SSLCipherSuite
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>
>> I would suggest the following instead:
>> SSLCipherSuite
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL
>>
>> This setting will disable SSL version 2 (which has seciruty problems) as
>> well as weak ciphers (LOW, EXP).
>>
>> [snip]
>>
>>
>> WR
>> Erik
>>
>> --
>> Code 471600D Erik van Bronkhorst
>> NAVAIRWARCENWPNDIV
>> 1900 N KNOX ROAD STOP 6510 bldg 00005 rm 2015 China Lake CA 93555-6106
>>
>>
>>
>>> From: "Losasso, Jonathan E IT3 CCG, N63" <email@hidden>
>>> Date: Mon, 23 Feb 2009 13:20:37 -0800
>>> To: <email@hidden>
>>> Subject: RE: [Fed-Talk] Disabling sslv2 on ssh
>>>
>>> Rex is correct about ssh, in my haste I was under the wrong impression
>> that
>>> ssh used ssl as a backbone for encryption.
>>>
>>> My problem is with ssl, specifically openssl that ships with Leopard. In
>>> order to be compliant with DoD standards (which uses retina) I am trying
>> to
>>> disable sslv2 and force sslv3 instead. In a perfect world I would be
able
>> to
>>> disable ssl completely, yet as we all know nothing is perfect :) . It
>> seems
>>> the server admin tool uses openssl on port 311 which is using v2. So you
>> can
>>> see my need to force v3 if at all possible. Any documentation floating
>>> around on this?
>>>
>>> -Jonathan
>>>
>>> -----Original Message-----
>>> From: Roy Mendelssohn [mailto:email@hidden]
>>> Sent: Monday, February 23, 2009 13:09
>>> To: Losasso, Jonathan E IT3 CCG, N63
>>> Cc: email@hidden
>>> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>>>
>>> As Rex pointed out, ssh only has protocol up to version 2 AFAIK.
>>> There is a version 3 protocol for sftp, but that is what is most
> commonly
>>> used. Can you provide a URL to ssh-3?
>>>
>>> -Roy
>>>
>>> On Feb 23, 2009, at 12:41 PM, Losasso, Jonathan E IT3 CCG, N63 wrote:
>>>
>>>> Well that explains it, thanks for the quick responses!
>>>>
>>>> Back to the problem that brought me to this. How would I go about
>>>> disabling
>>>> sslv2 completely and revert to v3 in leopard? I can't seem to find
>>>> much documentation on it.
>>>>
>>>> Thanks again.
>>>>
>>>> -Jonathan
>>>>
>>>> -----Original Message-----
>>>> From: Rex Sanders [mailto:email@hidden]
>>>> Sent: Monday, February 23, 2009 12:36
>>>> To: Losasso, Jonathan E IT3 CCG, N63; email@hidden
>>>> Subject: Re: [Fed-Talk] Disabling sslv2 on ssh
>>>>
>>>> Jonathan,
>>>>
>>>> sshd_config "Protocol" line specifies the SSH protocol version, not
>>>> SSL protocol version. AFAIK, SSH does not use the SSL protocol at
>>>> all.
>>>>
>>>> SSH version 1 ("Protocol 1") has known design vulnerabilities and
>>>> should not be used or allowed.
>>>>
>>>> SSH version 2 ("Protocol 2") is the current standard. SSHv2 has one
>>>> design vulnerability with certain widely used ciphering schemes ("CBC
>>>> mode encryption"). The vulnerability is difficult to exploit, almost
>>>> impossible to exploit quietly, and "can potentially allow an attacker
>>>> to recover up to
>>>> 32 bits of plaintext from an arbitrary block of ciphertext".
>>>> http://www.kb.cert.org/vuls/id/958563
>>>> Workaround - specify only CTR mode encryption. Some clients don't
>>>> support CTR mode.
>>>>
>>>> AFAIK, there is no SSH version 3 ("Protocol 3"), so I'm not surprised
>>>> that specifying protocol 3 doesn't work.
>>>>
>>>> Wikipedia has some of the history and details:
>>>> http://en.wikipedia.org/wiki/Ssh
>>>>
>>>> -- Rex
>>>>
>>>>
>>>> At 12:04 PM -0800 2/23/09, Losasso, Jonathan E IT3 CCG, N63 wrote:
>>>>> Content-class: urn:content-classes:message
>>>>> Content-Type: multipart/signed; micalg=SHA1;
>>>>> protocol="application/x-pkcs7-signature";
>>>>> boundary="----=_NextPart_000_002E_01C995AE.DB867500"
>>>>>
>>>>> Anyone know how to force ssh to use sslv3 instead of v2 correctly?
>>>>>
>>>>> When I change Protocol from 2 to 3 in sshd_config (/etc/
>>>>> sshd_config) I
>>>>> get an error when trying to ssh remotely into that machine (ssh
>>>>> email@hidden). What am I doing wrong?
>>>>>
>>>>> Any input is appreciated, thank you!
>>>> _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Fed-talk mailing list (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>> .gov
>>>>
>>>> This email sent to email@hidden
>>>
>>> **********************
>>> "The contents of this message do not reflect any position of the U.S.
>>> Government or NOAA."
>>> **********************
>>> Roy Mendelssohn
>>> Supervisory Operations Research Analyst
>>> NOAA/NMFS
>>> Environmental Research Division
>>> Southwest Fisheries Science Center
>>> 1352 Lighthouse Avenue
>>> Pacific Grove, CA 93950-2097
>>>
>>> e-mail: email@hidden (Note new e-mail address)
>>> voice: (831)-648-9029
>>> fax: (831)-648-8440
>>> www: http://www.pfeg.noaa.gov/
>>>
>>> "Old age and treachery will overcome youth and skill."
>>> "From those who have been given much, much will be expected"
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>
>
>> l
>>>
>>> This email sent to email@hidden
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>
> l
>>
>> This email sent to email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
l
>
> This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden