3
Obsolete cryptography on IIS?
Question asked by Evan Heller - March 18, 2015 at 8:08 PM
Unanswered
Hi,
 
Has anyone else noticed that chrome is reporting the following error when inspecting an SSL cert? I checked my webmail:   webmail.palace-designs.com and though my cert is encrypted with sha256.  Any thoughts on this?
 
-Evan

6 Replies

Reply to Thread
0
Steve Reid Replied
March 19, 2015 at 5:18 AM
 
This software might help...
1
Bruce Barnes Replied
March 24, 2015 at 9:56 AM
We just wrestled with this over the past weekend as we moved our SmarterMail from Server 2003 to a new box and Server 2012.

The reason for the Chrome error message is that TLS 1.0 is still enabled. 
 
TLS 1.0 is considered unsecure, and it is required to be disabled for anyone who processes credit cards.
 
HOWEVER, if you disable TLS 1.0, you will eliminate the ability of a large number of devices and browsers to connect to the website at https://webmail.palace-designs.com, and that will, more than likely, present a much larger support issue.
 
A complete list of the non-supported devices can be seen below this graphic:
 
 
 
 
List of browsers, and the minimum required protocol required for TLS connection.  Since most older Android devices will NOT be updated beyond Android 4.3, I, personally, believe it is important to maintain TLS 1.0 as ENABLED:
 
 

Handshake Simulation
Android 2.3.7   No SNI 2 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS 128
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
IE 6 / XP   No FS 1   No SNI 2
Protocol or cipher suite mismatch Fail3
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
IE 8 / XP   No FS 1   No SNI 2
TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS 112
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
Java 6u45   No SNI 2
TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS 128
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
 
TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   No FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
 
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
 
(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.
 
(R) Denotes a reference browser or client, with which we expect better effective security.
 
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).


Feel free to contact me directly if you have any questions.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
evan heller Replied
March 24, 2015 at 12:14 PM
Hi Bruce, so what's your take on this. When I did some research it looks like certain cihpers have problems as well like: 
 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
 
since it's a sha1 cipher. Disabling these would cause a major issue with most clients. What did you decide to do in the end?
3
Bruce Barnes Replied
March 24, 2015 at 8:27 PM
Evan: 
 
I, initially, tried using the utility from IISCrypto, and, while it worked, the settings pushed by the tool locked our a lot of mobile devices and IIS.
 
After a lot of searching, reading the security blogs of many different SSL/TLS experts, and looking at lots of recommendations for CIPHERS and SECURITY PROVIDER KEYS, I hit upon the combination shown in the examples below.
 
I'm happy with our current SSL Labs score (click through image for complete report):
 
SSL Labs Score for "securemail.chicagonettech.com" using protocols and ciphers shown below
 

Here's a copy of the CIPHERS we are currently running in SmarterMail on Server 2012:

All "NULL" ciphers, and all ciphers with a strength of less than 128, have been removed from the list.  These recommendations are in accordance with the current recommendations from US CERT, SSL Labs (see the PDF link on the page), and Microsoft TechNet, along with recommendations of various other SSL/TLS security experts.

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
     
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
     
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
     
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
     
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
     
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
     
  • TLS_RSA_WITH_AES_256_CBC_SHA256
     
  • TLS_RSA_WITH_AES_256_CBC_SHA
     
  • TLS_RSA_WITH_AES_128_CBC_SHA256
     
  • TLS_RSA_WITH_AES_128_CBC_SHA
     
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
 

‚ÄčHere's a copy of the actual CIPHERS we have loaded in our registry on our Windows 2012 / SmarterMail 13.3.3 server:

This can be copied into a TXT file, renamed to .REG and, when it is clicked on, the contents will REPLACE everything that's in the "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration" key in the registry.
 
DON'T FORGET TO BACKUP YOUR ORIGINAL REGISTRY FIRST and REBOOT after the import!
 
You can also download this file and then directly import it into your registry.
 
The file you download will be a ".TXT" file.  Rename the extension to ".REG", click on it and directly import it into your registry.  Use this link.  The file access password is "SmarterMail" (case sensitive).
 
Remember to BACKUP your registry first and REBOOT after importing the file.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
Here's a copy of the actual SECURITY PROVIDERS keys we have loaded in our registry on our Windows 2012 / SmarterMail 13.3.3 server:
 
The file in the "code" window below is the actual set of SECURITY PROVIDERS we are currently running.  Again, all recommendations, except the removal of TLS 1.0, have been implemented.  TLS 1.0 was allowed to remain in to provide compatibility with PRE Andriod 4.4 devices, as well as other devices, which cannot support TLS 1.2 and 1.3.
 
This can be copied into a TXT file, renamed to .REG and, when it is clicked on, the contents will REPLACE everything that's in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders" key in the registry.
 
DON'T FORGET TO BACKUP YOUR ORIGINAL REGISTRY FIRST and REBOOT after the import!
 
You can also download this file and then directly import it into your registry.
 
The file you download will be a ".TXT" file.  Rename the extension to ".REG", click on it and directly import it into your registry.  Use this link.  The file access password is "SmarterMail" (case sensitive).
 
Remember to BACKUP your registry first and REBOOT after importing the file.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SaslProfiles]
"GSSAPI"="Kerberos"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RSA 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest]
"UTF8SASL"=dword:00000001
"Debuglevel"=dword:00000000
"UTF8HTTP"=dword:00000001
"Negotiate"=dword:00000001
"DigestEncryptionAlgorithms"="3des,rc4"
There may be other CIPHERS and PROTOCOLS which can be added, and others may have other suggestions.  I am open to hearing them, but, as I said, happy with the current situation, knowing the risks of having TLS 1.0 open.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
May 5, 2016 at 3:37 PM
Here's a link to the downloads.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
June 4, 2016 at 9:34 PM
Send me your e-mail address: support@chicagonettech.com
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread