Does NetWare have the reported SSLversion 2 cryptographic weaknesses?

  • 7001266
  • 03-Sep-2008
  • 26-Apr-2012


Novell NetWare 6.5
Novell NetWare 6.0


The customer receives the following report from a security audit:

This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses. Secure web applications should only enable the SSLv3 or TLSv1
protocols. For PCI compliance validation scans, note that either or both of the SSLv3 or TLSv1 protocols must be enabled (i.e., SSLv2 can not be the only
supported protocol version).
REMEDIATION ACTION: Disable the use of SSL 2.0 if possible. Note that some older client software may not support the most recent protocol versions. The
"SSLProtocol" configuration option in mod_ssl and Apache2 is commonly used to limit the protocol versions for web servers which use OpenSSL: SSLProtocol -
ALL +SSLv3 +TLSv1 Refer to the following Microsoft Knowledge Base article to remove SSLv2 support from Microsoft's Internet Information Server (IIS): http://
tcp /443 - X.509 Certificate
¿ Cipher: DES-CBC-MD5
¿ Cipher: DES-CBC3-MD5
¿ Cipher: EXP-RC2-CBC-MD5
¿ Cipher: EXP-RC4-MD5
¿ Cipher: RC2-CBC-MD5
¿ Cipher: RC4-64-MD5
¿ Cipher: RC4-MD5


Novell does not have the reported issues with security and SSL.
Systems are vulnerable to the reported issue when using mod_ssl. All of the settings that are listed in the security alert are for platforms other than NetWare.
Novell does NOT use mod_ssl, we use mod_tls.  This affords multiple levels of protection. On NetWare we always negotiate the highest level of encryption possible. All of our ssl goes through libc, and is passed along to winsock which actually does all the work. 
We do not have the cryptographic weaknesses issues that the security report suggests.