I am no expert in this area but after some searching I am not too sure about the solution.
An external vendor doing a pentration test on our server reported that we have TLS_RSA_WITH_3DES_EDE_CBC_SHA with 112 bits enabled and reported that as a threat. I have read that such ciphers can be disabled from the Microsoft site (We are on Windows Server 2008) which is great but after reading a bit more about what this means on a forum I see that it is a downgrade from 168 due to a vulnability.
Extract:
I'm not a crypto-nerd but if I read this explanation correctly that particular cipher has an effective security of 112 bits but if the encryption is achieved by using 3 56 bit keys (3 X 56 = 168)
Answer:
"One might expect that 3TDEA would provide 56×3 = 168 bits of strength. However, there is an attack on 3TDEA that reduces the strength to the work that would be involved in exhausting a 112 bit key"
I can confirm that SSLLabs do infact rate this cipher to be 112 not 168 which I presume is due to the vulnability.
in this forum entry it is mentioned to be related to OpenSSL
As an update, as of the June 20 snapshot of the OpenSSL codebase, the reported strength of the 3DES Cipher Suites is now 112 bits instead of 168.
Ok. If this is correct then can this downgrade only apply to certificates issued with OpenSSL? I an not sure what the exact vulnerability is causing the downgrade to 112.
Either way, what is the actual approach to disable this. should I set the Registry key (Enabled = 0x0) under the following subkeys?:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
Triple DES 112/112
or:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
Triple DES 168/168
or both, or something else?
I cannot apply the change myself as i do not have permissions on these servers, but I need to instruct the person who will make the change.