1

I just find out today about this issue, and I have the following question:

If we disable SSL3 in IIS as described in On IIS, how do I patch the SSL 3.0 POODLE vulnerability (CVE­-2014­-3566)?, what will happen with the sites using SSL (through https)?

bzamfir
  • 187
  • 1
  • 6
  • I'm quite sure I don't understand your question. What will happen with the sites? Nothing will happen! What is it that you're concerned about? – Michael Hampton Oct 16 '14 at 12:06
  • Yes, that's what I'm concerned about. My site is production, it uses secure connection (SSL) and if I disable SSL 3, will the site still work with secure connection (https protocol)? – bzamfir Oct 16 '14 at 12:24
  • 1
    Of course it will. Now I'm certain I don't understand what you're getting at. – Michael Hampton Oct 16 '14 at 12:40

1 Answers1

2

I think you're asking "What will happen to browsers that only support SSL 3.0 when accessing my site?"

Browsers that don't support TLS 1.0 (or newer) will fail to display your site. The specific behavior depends on the browser.

All modern web browsers (including the arguably non-modern IE 8 in Windows XP) support at least TLS 1.0. For anyone using a modern browser will have no problem (so long as they have TLS 1.0 or greater enabled in their browser settings).

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thank you for clarification. I didn't knew TSL is basically a new version of SSL, I thought if SSL 3 is disabled, TSL might be enabled (somehow), but I found nothing in IIS management console. – bzamfir Oct 16 '14 at 17:07
  • You can view browser support information [here](http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers). It's a big chart, you're interested in the column "TLS 1.0". Any browser that supports TLS 1.0 (or better) is going to be able to access your site just fine after you disable SSL 3.0. – Josh Oct 20 '14 at 15:31