We are trying to remediate some issues for PCI with our CAS server (Exchange 2010 SP1 on Windows Server 2008 r2). The vulnerability that we need to plug is: TLS/SSL Server Supports SSLv2. THe solution that I have seen for this is to turn
off SSLv2 on the CAS server, but will this affect webmail or any mobile devices from receiving mail or otherwise working properly?
Here is what I found on the web:
TLS/SSL Server Supports SSLv2
Jan 1, 1996
Feb 9, 2009
Sep 2, 2010
Although the server accepts clients using TLS or SSLv3, it also accepts clients using SSLv2. SSLv2 is an older implementation of the Secure Sockets Layer protocol. It suffers from a number of security flaws allowing attackers to capture and alter information
passed between a client and the server, including the following weaknesses:
No protection from against man-in-the-middle attacks during the handshake.
Weak MAC construction and MAC relying solely on the MD5 hash function.
Exportable cipher suites unnecessarily weaken the MACs
Same cryptographic keys used for message authentication and encryption.
Vulnerable to truncation attarks by forged TCP FIN packets
SSLv2 has been deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard, which governs cryptographic modules for use in federal information systems. Only the newer TLS (Transport Layer Security) protocol
meets FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host is deemed a failure by the PCI (Payment Card Industry) Data Security Standard.
Note that this vulnerability will be reported when the remote server supports SSLv2 regardless of whether TLS or SSLv3 are also supported.
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.