To meet compliance checks it is often that support receives questions on how to disable SSLv2 in MEG 7.x  Steps to disable

 

How to disable SSLv2 for Email Gateway

Technical Articles ID:  KB76671

 

Environment

McAfee Email Gateway 7.x

 

Summary

To meet with compliancy scans, you must disable SSLv2 for Email Gateway.

 

To determine if SSLv2 is enabled:

 

    Open a SSH session to the Appliance. For more information, see KB60469.

    Type the following command:

 

    openssl s_client -connect <Appliance_IP>:25 -starttls smtp -ssl2

 

    where <Appliance_IP> is the IP address of the Appliance you are testing.

 

    Verify that the handshake completes. 

 

 

To disable SSLv2 for SMTP TLS:

 

    Export and extract the Appliance configuration file:

        Create a new folder and assign a descriptive name. For example, Appliance_config_backup.

        Log on to the Appliance Management Console and select System, System Administration, Cluster Management, Backup and Restore Configuration.

        Click Backup Config, then click the link to save the configuration.

        Save this configuration to the new folder.

 

        NOTE: The numbers in the name of the configuration file change with new versions and updates.

 

        Right-click the configuration file and select Open with WinZip.

        At the top of the dialog box, click the Extract icon, navigate to the new folder, and click Extract.

        Save a copy of the configuration .zip file to a backup location.

 

        NOTE: Ensure that you do not delete or move the folders extracted from the .zip file.

 

     Edit the Appliance configuration file:

        Navigate to the folders you extracted and locate the smtp-config.xml file.

        Right-click smtp-config.xml and select Open with Wordpad.

        Search for ForbiddenCiphers. The entry will be in the following text section:

 

        <encryption>

          <ForbiddenCiphers>

            <Attr value="aNULL" name="0"/>

          </ForbiddenCiphers>

          <PermissibleCiphers>

            <Attr value="ALL" name="0"/>

          </PermissibleCiphers>

        </encryption>

 

        Change the entry above to read as follows.

 

        <encryption>

           <ForbiddenCiphers>

            <Attr value="aNULL" name="0"/>

            <Attr value="SSLv2" name="1"/>

           </ForbiddenCiphers>

           <PermissibleCiphers>

             <Attr value="ALL" name="0"/>

           </PermissibleCiphers>

         </encryption>

 

        Click Save.

        In the folder you created earlier, select all three extracted sub-folders, right-click, select WinZip, and click Add to Zip file.

        Click New.

        Click the Up One Level icon.

        In the File Name field, type edited_config.zip, then click OK.

        Click Add.

 

    Restore the Configuration File to the Appliance:

        Log on to the Appliance Management Console and select System, System Administration, Cluster Management, Backup and Restore Configuration.

        Click Restore from File, locate the .zip file you created, and click OK.

        Select the Values to Restore and click OK.

        Click Close.

        Click Apply Changes.

        Type a comment and click OK.

 

    Confirm that SSLv2 is disabled:

        Open a SSH session to the Appliance. For more information, see KB60469.

        Type the following command:

 

        openssl s_client -connect <Appliance_IP>:25 -starttls smtp -ssl2

        You will see an error similar to the following:

 

        error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

 

SSLv2 is now disabled for SMTP TLS transactions on the Appliance.