2.5 Disabling the SSL 2.0 Protocol

The built-in protections of SSL 3.0 for version rollback attacks (where the session is rolled back to SSL 2.0 even when both client and server support SSL 3.0) are not effective against a version rollback attackers who can brute force the key and substitute a new ENCRYPTED-KEY-DATA message containing the same key (but with normal padding) before the application specified wait threshold has expired. You can disable SSL 2.0 on the server, so it is not possible to establish a session using SSL 2.0, and so version rollback attacks are not be possible.

For information about disabling the SSL 2.0 protocol for the Apache server, see Configuring the SSL Cipher Suites for the Apache Server in the Novell iFolder 3.7 Administration Guide.

For information about configuring strong SSL/TLS security solutions, see SSL/TLS Strong Encryption: How-To on the Apache.org Web site.