I'm looking to discover what servers in my inventory have SSL v2.0 enabled. For security reasons, I'd like to see that it gets disabled, but I'm not finding information that I can easily query that tells me it is 'enabled' other than executing an openssl command to each machine.

I did find a couple of articles that describe adding/changing the registry to a particular value, but I don't see what exactly I can query from the Windows registry via KACE Scripting to locate who is affected.

How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
Disable SSLv2 for Microsoft IIS7 under Windows Server 2008 64bit

When I peruse Windows Registry on one server that SSLv2 is enabled and another that it is not. The key 'HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\' looks the same between the two. There is no 'Enabled' DWORD name preexisting.

Any help to point me in the right direction is much appreciated.

0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


Using the openssl command you could maybe use a custom inventory rule:
Depending on the data at the command line, that could return it to the K1 database.
Otherwise you could use the CI to return the registry value if it existed.
Answered 08/18/2011 by: cblake
Red Belt

Please log in to comment
cblake, that sounds promising. Let me get this straight because I'm new to KACE. The Custom Inventory command would look something like...

ShellCommandTextReturn(openssl s_client -ssl2 -connect

Is there a means of querying the openssl results for something descriptive like "ssl handshake has read"?

There's probably a better means than what I'm thinking, but I appreciate the help.
Answered 08/18/2011 by: fauveld
Orange Belt

Please log in to comment