HI, I have a Windows Server 2003 and apply the Qualys recommendations for fix this vulnerability, but It´s present yet. How can I fix it?
SSLv2 is insecure and has been superseeded by SSLv3, which most/all browsers have been supporting now for approx. 10 years. Essentially, there is no need to support SSLv2 anymore. Additionaly, it is specifically called out as a required PCI Failing Vulnerability.
The solution would be to disable any SSLv2 Connections on the Server Side, and only allow secure connections such as SSLv3. You may need to reach out to the vendor for specific configuration details on how to disable SSLv3 on your specific platform.
We would need further information (scan results) before we could provide details. Please open a case with Technical Support (firstname.lastname@example.org) so that we can review the scan results and provide further details.
Additionally, sometimes the server will advertise the use of SSLv2, but you may have additional controls in place that does not actualy allow the establishment of any such connections using SSLv2.
Our Scanner will report the potential vulnerability based on the advertised protocol.
In this case, if you investigate and confirm that SSLv2, although advertised externally, cannot actually be used to establish a connection, you can then submit this as a PCI False Positive Exception Request, and we should be able to approve it for PCI Compliance.
Retrieving data ...