IIS/SMTP - Disable SSLv2

Question

I am trying to disable SSL2 on our IIS/SMTP server. We are using a Windows Server 2008 R2 Enterprise (64bit). We use the IIS6 Manager to manage the SMTP virtual servers. I have attempted numerous methods but have been unsuccessful in all. I have fully rebooted after every change too.

I am testing from another server with the following command, but still show as connected via SSL2:

$ openssl s_client -debug -connect servername:25 -ssl2

CONNECTED(00000003)

write to 0x600078840 [0x600181951] (45 bytes => 45 (0x2D))

0000 - 80 2b 01 00 02 00 12 00-00 00 10 03 00 80 01 00   .+..............

0010 - 80 07 00 c0 06 00 40 04-00 80 02 00 80 ba 66 21   ......@.......f!

0020 - fe 2d 4c 49 44 b9 23 e5-f9 10 a5 21 7f            .-LID.#....!.

read from 0x600078840 [0x600070790] (2 bytes => 2 (0x2))

0000 - 32 32                                             22

read from 0x600078840 [0x600070792] (12851 bytes => 123 (0x7B))

0000 - 30 20 6d 61 69 6c 2e 65-67 32 2e 66 69 65 6c 64   0 mail.ourdomain

0010 - 67 6c 61 73 73 2e 6e 65-74 20 4d 69 63 72 6f 73   name.net Micros

0020 - 6f 66 74 20 45 53 4d 54-50 20 4d 41 49 4c 20 53   oft ESMTP MAIL S

0030 - 65 72 76 69 63 65 2c 20-56 65 72 73 69 6f 6e 3a   ervice, Version:

0040 - 20 37 2e 35 2e 37 36 30-31 2e 31 37 35 31 34 20    7.5.7601.17514

0050 - 72 65 61 64 79 20 61 74-20 20 57 65 64 2c 20 38   ready at  Wed, 8

0060 - 20 4a 75 6c 20 32 30 31-35 20 31 34 3a 32 36 3a    Jul 2015 14:26:

0070 - 31 35 20 2b 30 30 30 30-20 0d 0a                  15 +0000 ..

I started with Microsoft’s recommendation: https://support.microsoft.com/en-us/kb/187498

Instead of PCT 1.0, I used SSL 2.0:

To disable the PCT 1.0 protocol so that IIS does not try to negotiate using the PCT 1.0 protocol, follow these steps:

Click Start, click Run, type regedt32 or type regedit, and then click OK. In Registry Editor, locate the following registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server

On the Edit menu, click Add Value. In the Data Type list, click DWORD. In the Value Name box, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value. Type 00000000 in Binary Editor to set the value of the new key equal to "0". Click OK. Restart the computer.

I have also tried this method: http://forums.iis.net/t/1151822.aspx?Disable+SSL+v2+in+IIS7+

I even tried using IIS Crypto and still show as connecting via SSL2.

Ignore my answer, I see you're connecting through a shell method rather than through a browser. Just in case you want the solution for a browser though (IE specifically), you can use this setting in a GPO: Computer Config > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page > Turn off Encryption Support. Set this setting to Enabled and only use TLS protocols (1-1.2), which then will not allow negotiation of SSL at all. Hope that helps at least a little bit. — Brad Bouchard, Jul 08 '15 at 20:09

score 0 · Answer 1 · answered Jul 08 '15 at 20:03

Here is an extract of a powershell script I wrote a few months ago to do a whole bunch of things related to protocol support and ciphers. I wrote it specifically for Server 2008 R2.

# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"

This just creates and sets a registry key that should mean the server will no longer support SSL 2.0 for incoming connections. You can run this on the server in question to disable SSL 2.0.

Here is the complete script should you be interested. Please check how relevant it is to your scenario before you use it as it drops support clients with older OS's and browsers. Also, these setting were tailored for a web server.

# Enables TLS 1.1 & 1.2 and disbles SSL 2.0 and SSL 3.0 (both as client and server) on Windows Server 2008 R2 and Windows 7. Aditionally it reorders a few cipher suites to prefer stronger ciphers and disables RC4 ciphers.

# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"

# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Enable TLS 1.1 for client and server SCHANNEL communications
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

# Enable TLS 1.2 for client and server SCHANNEL communications
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"

# Disable SSL 3.0 (POODLE)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" -name Enabled -value 0 -PropertyType "DWord"

# Set preferred cipher suites
new-itemproperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -name Functions -value "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" -PropertyType "String"

# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128"

# Disable RC4 ciphers
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" -name "Enabled" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" -name "Enabled" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" -name "Enabled" -value 0 -PropertyType "DWord"

I've tried and I'm still able to connect: $ openssl s_client -debug -connect servername:25 -starttls smtp -ssl2 CONNECTED(00000003) read from 0x600078840 [0x600078970] (4096 bytes => 126 (0x7E)) 0000 - 32 32 30 20 6d 61 69 6c-2e 65 67 32 2e 66 69 65 220 mail.our.do 0010 - 6c 64 67 6c 61 73 73 2e-6e 65 74 20 4d 69 63 72 main.net Micr — cas32, Jul 15 '15 at 15:36

IIS/SMTP - Disable SSLv2

1 Answers1