Insecure Transportation Security Protocol Supported (SSLv2)
Description
The remote service supports SSL 2.0, a cryptographic protocol that has been deprecated since 1996 due to fundamental security flaws. SSL 2.0 contains multiple vulnerabilities including weak cipher suites, lack of protection for the handshake process, and susceptibility to man-in-the-middle attacks. Modern security standards prohibit its use, and it should be disabled on all production systems.
Remediation
Disable SSL 2.0 and SSL 3.0 entirely on all servers and services. Configure systems to use only TLS 1.2 or TLS 1.3 with strong cipher suites.
For common server platforms:
Apache (httpd.conf or ssl.conf):
SSLProtocol -all +TLSv1.2 +TLSv1.3 SSLCipherSuite HIGH:!aNULL:!MD5:!SSLv2:!SSLv3
Nginx (nginx.conf):
ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5:!SSLv2:!SSLv3;
Microsoft IIS: Use IIS Crypto tool or configure via registry to disable SSL 2.0 and SSL 3.0 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
After making changes, restart the affected services and verify the configuration using SSL testing tools such as SSL Labs' SSL Server Test or nmap with ssl-enum-ciphers script.