Environment
Novell NetWare 6.5
Novell NetWare 6.0
Novell NetWare 6.0
Situation
The customer receives the following report from a security audit:
VULNERABILITY: SSLv2 Supported
This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses. Secure web applications should only enable the SSLv3 or TLSv1
protocols. For PCI compliance validation scans, note that either or both of the SSLv3 or TLSv1 protocols must be enabled (i.e., SSLv2 can not be the only
supported protocol version).
Reference: http://www.schneier.com/paper-ssl.pdf
REMEDIATION ACTION: Disable the use of SSL 2.0 if possible. Note that some older client software may not support the most recent protocol versions. The
"SSLProtocol" configuration option in mod_ssl and Apache2 is commonly used to limit the protocol versions for web servers which use OpenSSL: SSLProtocol -
ALL +SSLv3 +TLSv1 Refer to the following Microsoft Knowledge Base article to remove SSLv2 support from Microsoft's Internet Information Server (IIS): http://
support.microsoft.com/kb/187498.
Patches: http://support.microsoft.com/kb/187498, http://httpd.apache.org/docs/2.2/ssl/
tcp /443 - X.509 Certificate
Evidence:
¿ Cipher: DES-CBC-MD5
¿ Cipher: DES-CBC3-MD5
¿ Cipher: EXP-RC2-CBC-MD5
¿ Cipher: EXP-RC4-MD5
¿ Cipher: RC2-CBC-MD5
¿ Cipher: RC4-64-MD5
¿ Cipher: RC4-MD5
VULNERABILITY: SSLv2 Supported
This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses. Secure web applications should only enable the SSLv3 or TLSv1
protocols. For PCI compliance validation scans, note that either or both of the SSLv3 or TLSv1 protocols must be enabled (i.e., SSLv2 can not be the only
supported protocol version).
Reference: http://www.schneier.com/paper-ssl.pdf
REMEDIATION ACTION: Disable the use of SSL 2.0 if possible. Note that some older client software may not support the most recent protocol versions. The
"SSLProtocol" configuration option in mod_ssl and Apache2 is commonly used to limit the protocol versions for web servers which use OpenSSL: SSLProtocol -
ALL +SSLv3 +TLSv1 Refer to the following Microsoft Knowledge Base article to remove SSLv2 support from Microsoft's Internet Information Server (IIS): http://
support.microsoft.com/kb/187498.
Patches: http://support.microsoft.com/kb/187498, http://httpd.apache.org/docs/2.2/ssl/
tcp /443 - X.509 Certificate
Evidence:
¿ Cipher: DES-CBC-MD5
¿ Cipher: DES-CBC3-MD5
¿ Cipher: EXP-RC2-CBC-MD5
¿ Cipher: EXP-RC4-MD5
¿ Cipher: RC2-CBC-MD5
¿ Cipher: RC4-64-MD5
¿ Cipher: RC4-MD5
Resolution
Novell does not have the reported issues with security and SSL.
Systems are vulnerable to the reported issue when using mod_ssl. All of the
settings that are listed in the security alert are for platforms other than
NetWare.
Novell does NOT use mod_ssl, we use mod_tls. This affords multiple levels
of protection. On NetWare we always negotiate the highest level of encryption
possible. All of our ssl goes through libc, and is passed along to winsock which
actually does all the work.
We do not have the cryptographic weaknesses issues that the security
report suggests.