Why Does Serv-U Disable Support for SSLv3 and SSLv2? - KB Article #2170Related Articles --
Starting with version 15.1.1 of Serv-U, support for SSLv2 and SSLv3 has been disabled for all new and existing installations. This means that only TLS is supported when negotiating a secure channel with Serv-U through the FTPS or HTTPS protocols. SSLv3 and SSLv2 are disabled in response to a recent vulnerability reported in SSLv3.
SSLv2 has numerous documented flaws that no longer allow it to establish a reliably secure channel considering modern computing resources and several well known attack vectors. Most security scanning software recommends disabling it. For those in the business of securely transferring data (such as banks or the health care industry), disabling SSLv2 is a must. For users of Serv-U, it is no longer something that must be actively disabled.
SSLv3 is a different story. Despite not being FIPS compliant and being superseded by TLS many years ago, it is still commonly used today. For all practical purposes, most client applications supporting SSLv3 also support TLSv1.0. The recent discovery of the POODLE vulnerability in SSLv3 has brought mainstream attention to the age and unreliability of the protocol forcing vendors to re-examine their support for it. It is likely that security scanning software and auditing firms will start requiring disabling SSLv3 in response to this new attack. Considering the widespread support for TLSv1.0 and these recent disclosures, support for SSLv3 has been disabled in Serv-U.
In most cases, no changes or problems will be noticeable. Modern browsers and FTP clients already support TLSv1.0. The applications most likely to be affected by this change are legacy applications and hardware that never added support for TLSv1.0. Considering that TLSv1.0 was standardized in 1999, this should be a rare situation. Affected applications will be unable to negotiate an SSL connection with Serv-U until SSLv3 is re-enabled.