You are not logged in.

Announcement

[2017.09.08] DeployStudio build v1.7.8 (checksum, release note).
[2016.08.26] DeployStudio build v1.6.19 (release note).
[2013.02.23] DeployStudio last universal build v1.5.17 (release note).

#1 2011-02-18 15:56:39

bpenglase
Member
From: ::1
Registered: 2009-02-04
Website

Disable of SSLv2 on DS Server

Due to PCI Compliance, they are scanning all of our servers, and if any services are found to accept SSLv2 connections, we will have a certain period of time to correct that, and if we don't, the server/service goes offline. During the scan of my XServe, I found that both Open Directory and DeployStudio accept connections as SSLv2. I believe I can correct Open Directory (will have to do tests), I'm was unable to find anything to turn off SSLv2 on the DS Server.
Would it be possible to add a option to turn off, or outright disable, SSLv2 within DeployStudio, this way I can keep using it? :)

Offline

#2 2011-02-20 13:00:23

admin
Administrator
Registered: 2007-03-29
Website

Re: Disable of SSLv2 on DS Server

Hi, just run DeployStudio Assistant to reconfigure DSS and disable SSL encryption.
You'll probably need to update or create new netboot sets after that change.

Offline

#3 2011-02-23 02:41:49

bpenglase
Member
From: ::1
Registered: 2009-02-04
Website

Re: Disable of SSLv2 on DS Server

I mean to sound condescending/patronizing, but in an effort to be more secure, the solution is to turn off the security functionality? 
Does the DS Runtime make it's SSL Handshake via SSLv2, or SSLv3/TLS?
I did find out this isn't a requirement for all servers on the network, just an effort being made to better secure the services of the college, and apply best practices. So it seems I could leave it running as it, and would just need to say "This can't be changed" and they would be fine with it, but in the interest of best practice, I'm curious as to how it handles the SSL handshake, and if SSLv2 does need to accept connections.

Slightly relevant link from 2005: [url]http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/2005-April/000024.html[/url] - Sadly their reference URL at this time is dead, but it does have a good summarization.

Last edited by bpenglase (2011-02-23 02:44:54)

Offline

#4 2011-02-23 23:34:55

admin
Administrator
Registered: 2007-03-29
Website

Re: Disable of SSLv2 on DS Server

I've checked the source code and it uses the highest level security protocol that can be negotiated (TLSv1, SSLv3, SSLv2, none).

Offline

#5 2015-04-08 23:09:33

rundallj
Member
Registered: 2013-12-12

Re: Disable of SSLv2 on DS Server

It appears to me that in the past few years SSLv2 has been removed from DeployStudio but SSLv3 is still there.  Is there a way to disable it?

Thanks!

Offline

#6 2015-04-09 01:02:38

Meat
Member
From: SF CA US
Registered: 2009-02-04

Re: Disable of SSLv2 on DS Server

What OS, Server.app, and DeployStudio versions are you running on your server?
I believe this is fixed in more current versions of the OS and Server.app.
DeployStudio is likely utilizing the SSL from the OS. I could be wrong about that, but I think Qualys isn't complaining any more...

PCI compliance is confusing (and a royal pain!), but yes. You want SSL in that environment. I forget what flavor or SSL encryption is currently okay, but it isn't ssl3, or ssl2.

Last edited by Meat (2015-04-09 01:03:12)

Offline

#7 2015-04-09 22:46:37

rundallj
Member
Registered: 2013-12-12

Re: Disable of SSLv2 on DS Server

Thanks!  Qualys did, in fact, complain about this one ;)  But it's not running the latest and greatest.  This server is running 10.8.5 with Server.app 2.2.5.  It was running an older version of DeployStudio (1.6.4-NB140206 - it is a test box that wasn't getting attention).  But updating to DeployStudio 1.6.13 did not fix this.  But perhaps an upgrade of the OS / Server.app will.  Looks like 10.8.5 and 10.9.5 have OpenSSL 0.9.8zc while 10.10.3 has OpenSSL 0.9.8zd.  I'll be setting up a newer DeployStudio this summer so I'll see what happens with that.

Offline

#8 2015-04-10 01:58:42

rundallj
Member
Registered: 2013-12-12

Re: Disable of SSLv2 on DS Server

Quick update.  I installed DeployStudio 1.6.13 on a machine running 10.10.3 (no Server.app, but I wouldn't think that matters) and it seems to respond to SSLv3:

openssl s_client -connect mydstudserver.mydomain.com:60443 -ssl3
returns a successful handshake, etc.

but not SSLv2:

openssl s_client -connect mydstudserver.mydomain.com:60443 -ssl2
returns:
CONNECTED(00000003)
51098:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.8.1/src/ssl/s2_pkt.c:427:

So it looks to me like the current DeployStudio (1.6.13) on the most current OS (10.10.3) is responding to SSLv3.

Offline

#9 2015-04-10 16:12:06

Meat
Member
From: SF CA US
Registered: 2009-02-04

Re: Disable of SSLv2 on DS Server

Run another qualys scan on the device?

Offline

Board footer

Powered by FluxBB