The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable SSL v2 in imap

Discussion in 'E-mail Discussions' started by EWD, Nov 22, 2007.

  1. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Hi Guys,

    To disable SSL v2 in apache you add "SSLProtocol all -SSLv2" to httpd.conf.

    How do I go about doing the same for IMAP?

    We have installed a SSL certificate to IMAP via WHM and now customers running PCI scanning(like scanalert, hackerguardian, etc...) are getting flagged because SSL v2 is enable on port 993.

    Anyone have any ideas?

    Thanks in advance for any help.
     
  2. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Just received a report here from a user with HackerGuardian with the following notice:

    "Support SSL Version 2.0 or less"

    Hackerguardian wants versions less than 2.0 disabled. I"m assuming it's a similar issue as to what Emerson is having?
     
  3. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Hey Conor, fancy meeting you here ;)

    That is the exact issue I am having :/
     
  4. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Heh,

    in WHM > Service Configuration > Courier Configuration" you can:

    - Only permit SSLv2 connections
    - Permit SSL v2 or v3 connections and TLSv1 connections
    - Only permit TLSv1 Connections

    But why would CPanel not add the option to only permit SSLv3?
    Just weird.

    I guess we can select "Only permit TLSv1 Connections" ??
     
  5. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    it seems the proper way CPanel should word their config screen is:

    - Permit SSLv2 or less
    - Permit SSLv3
    - Permit TLSv1

    Then we can decide which to enable

    Brian
     
Loading...

Share This Page