We now know how to test for SSLv2. How do you fix it?

IIS6: Well, go ask Microsoft. It is a registry edit and not a GUI option.

Apache http.conf: “SSLProtocol +All -SSLv2” or even “SSLProtocol -All +SSLv3” Further cipher tinkering can be done with the SSLCipherSuite directive.

For everything else, you need to consult documentation. In my case, I have Citrix Netscaler load-balancers in front of my web servers. In the port 443/SSL vservers->SSL tab->SSL Parameters, I would uncheck “SSLv2” and uncheck “Enable SSLv2 URL.” That second one is just the redirect for browsers wanting to make SSLv2 connections when SSLv2 is not wanted. Of course, this can also be done via SSH.