How Do I Block SSLv2 on NetScaler?

This article describes how to block SSLv2 on NetScaler.

Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

Use Case

SSL v2 protocol has many security vulnerabilities which makes it essential for a user to disable it and opt for stronger and more secure protocols such as TLS v1.1 / v1.2.

Introduction to SSL v2

SSL v2 (SSL 2.0) is a protocol created by Netscape in 1994. It was identified with many security vulnerabilities many of which were later resolved in SSL v3, which as well is impacted by security vulnerabilities.

Here is a list of some of the flaws in SSL v2:

  1. SSL v2 has a weak MAC (message authentication code) construction which uses 40 bit of encryption in export mode. It uses the MD5 hash function which makes it vulnerable to length extension attacks wherein an attacker can delete bytes from the end of messages.
  2. It is vulnerable to cipher suite attack as the handshake messages are not protected. In this attack, the attacker edits the list of cipher suite preferences to a lower cipher suite without any detection (in the hello messages). This forces the client and server to agree upon a weaker form of encryption than they otherwise would have chosen.
  3. Message authentication and message encryption use the same key. This can lead to a problem if the client and server negotiate a weak encryption
  4. Session terminated can be forged. A man-in-the-middle attacker can easily insert a TCP FIN to terminate the session. The receiving endpoint is unable to determine whether it is a legitimate end of session request or not thus resulting in an unwanted termination.
  5. SSL v2 does not follow chain certificate and does not support non-RSA algorithm. It only supports RSA key exchange which may not be the preferred option in many cases
  6. SSL v2 only supports one domain certificate with a single service. This is not a preferable option as it would not support virtual hosting for web servers.

Related:

Leave a Reply