3

I have reviewed both related posts on this site:

How do I disable SSL 2.0 support on IIS?

How to disable SSL 2.0 on IIS 7.5?

The issue I am having is that I have implemented the registry change, rescanned my websites, and I am still being told that IIS 6 is allowing SSL 2.0 connections.

Here's the verbage from the scanning site:

Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

QUESTIONS:

  • How do I test this myself so I can continue to troubleshoot the issue?
  • Is there a tool out there that I can use to test?
  • Would I need to disable other connection methods? [PCT 1.0 / TLS 1.0]

Thanks

Community
  • 1
I.T. Support
  • 601
  • 2
  • 11
  • 27

1 Answers1

4

You will need to disable PCT 1.0 as well as SSLv2, as it is no longer used. If you follow the MS KB, then you should be fine. You can use ssllabs.com to test your server if it is reachable over the Internet. Also you could use the G-SEC tool for configuring SSL/TLS on Windows.

Nasko
  • 727
  • 3
  • 5
  • I'll disable PCT 1.0, reboot, rescan, and see what happens... – I.T. Support Aug 23 '10 at 20:50
  • I used GSEC, and peered into the registry to see what keys were being added. Turns out the keys GSEC entered are nothing like what the KB article suggests. I won't know if GSEC's reg entries worked unti lafter hours (when I reboot it), but it's worth mentioning. – I.T. Support Aug 23 '10 at 21:08
  • Can you share what reg keys GSEC modified and what you expected to be modified? – Nasko Aug 23 '10 at 21:10
  • According to MS KB, you add a DWORD [00 00 00 00] to the "Server" sub key underneath the corresponding protocol. GSEC doesn't add this key, but instead adds two other DWORDS: DisabledByDefault [1] & Enabled [0]. I'll post again once I reboot and evaluate – I.T. Support Aug 23 '10 at 21:56
  • The KB does say that you need to add DWORD named Enabled and set it to 0. The DisabledByDefault will have no effect once Enabled is set to 0, it only governs whether the protocol is present by default when the protocol is enabled. – Nasko Aug 23 '10 at 21:58
  • Yeah I just caught that on the last section. I was refering to middle section "Each key holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this, you create a new DWORD value in the server subkey of the protocol. You set the DWORD value to "00 00 00 00." - Too bad they fail to mention what the key name is until later in the article. Standard microsoft KB's, ALL OVER THE PLACE :) – I.T. Support Aug 23 '10 at 22:03
  • So I rebooted, then ran a scan from SSLLabs, 2.0 is disabled, but SSL 2.0+ Upgrade Support is not? Is this an issue? – I.T. Support Aug 23 '10 at 22:15
  • SSLv2 upgrade support means a client using backwards compatible messages can negotiate SSLv3 and above just fine. This is not a problem and can actually allow interoperability with older clients (even though they don't do SSLv2). If you need more info on that, let me know and I can explain more. – Nasko Aug 24 '10 at 15:09