Skip to main content
All CollectionsRemediations
SSL Version 2 and 3 Protocol Detection (Linux) Vulnerability
SSL Version 2 and 3 Protocol Detection (Linux) Vulnerability
Alan Butcher avatar
Written by Alan Butcher
Updated over a week ago

The SSL Version 2 and 3 Protocol Detection Vulnerability when detected with a vulnerability scanner will report it as a CVSS 9.8 (v3).

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

Both SSL and TLS are cryptographic protocols designed to secure communications over a network. Originally there were SSL version 1 and version 2. But they had a lot of security holes. Version 3 however did and was widely supported. The problem with version 3 was with the Poodle exploit and people started getting rid of SSLv3. TLS v1.0 was largely based on, (but not compatible with) SSLv3. TLS 1.1 replaced v1.0 (circa 2006). Problems with it prompted TLS 1.2 (circa 2008). Then that was the standard until TLS v1.3 (circa 2018). However: Just because you use the newest protocols does not necessarily mean you are more secure: Most documentation you read says TLS 1.2 ‘Should’ be secure. This is because these protocols are built on cryptographic ciphers and they are only as secure as those ciphers. You can corrupt a strong protocol with a weak cipher and render it less secure. In some cases, you may need to do this, or you might simply enable a web cipher to fix a ‘problem’ without understanding the consequences.

To help protect against this vulnerability, you need to disable some older protocols by making changes in the SSL configuration file. The location of this file depends on what kind of service you are running for example Apache, Nginx etc.

The SSL configuration section or the file should have the SSL Protocol section that should look similar to below:

SSLProtocol -all -TLSv1 +TLSv1.1 -SSLv3 -SSLv2 +TLSv1.2

Note: A restart of the service and/or the server will be required after making these changes.

Did this answer your question?