3
Obsolete cryptography on IIS?
Question asked by Evan Heller - 3/18/2015 at 8:08 PM
Unanswered
Hi,
 
Has anyone else noticed that chrome is reporting the following error when inspecting an SSL cert? I checked my webmail:   webmail.palace-designs.com and though my cert is encrypted with sha256.  Any thoughts on this?
 
-Evan

10 Replies

Reply to Thread
0
Steve Reid Replied
https://www.nartac.com/Products/IISCrypto/
 
This software might help...
0
Evan Heller Replied
Thanks, I went through that tool and verified using both shaaaaaaaaaaaaa.com and ssllabs. Both come back with an A and indicate that the cert and intermediate cert are both sha256. I could not find a single tool that indicates a problem with the chain or ciphers. Chrome shows a green lock icon however with that message "xyz is encrypted with obsolete cryptography". From looking at most webmail setups it would appear this is a common message but way to fix this in chrome or get further information.
1
Bruce Barnes Replied
We just wrestled with this over the past weekend as we moved our SmarterMail from Server 2003 to a new box and Server 2012.

The reason for the Chrome error message is that TLS 1.0 is still enabled. 
 
TLS 1.0 is considered unsecure, and it is required to be disabled for anyone who processes credit cards.
 
HOWEVER, if you disable TLS 1.0, you will eliminate the ability of a large number of devices and browsers to connect to the website at https://webmail.palace-designs.com, and that will, more than likely, present a much larger support issue.
 
A complete list of the non-supported devices can be seen below this graphic:
 
 
 
 
List of browsers, and the minimum required protocol required for TLS connection.  Since most older Android devices will NOT be updated beyond Android 4.3, I, personally, believe it is important to maintain TLS 1.0 as ENABLED:
 
 

Handshake Simulation
Android 2.3.7   No SNI 2 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS 128
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
IE 6 / XP   No FS 1   No SNI 2
Protocol or cipher suite mismatch Fail3
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
IE 8 / XP   No FS 1   No SNI 2
TLS 1.0 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   No FS 112
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
Java 6u45   No SNI 2
TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS 128
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 128
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 128
 
TLS 1.0 TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   No FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 256
 
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
 
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
 
(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.
 
(R) Denotes a reference browser or client, with which we expect better effective security.
 
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).


Feel free to contact me directly if you have any questions.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
evan heller Replied
Hi Bruce, so what's your take on this. When I did some research it looks like certain cihpers have problems as well like: 
 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
 
since it's a sha1 cipher. Disabling these would cause a major issue with most clients. What did you decide to do in the end?
3
Bruce Barnes Replied
Evan: 
 
I, initially, tried using the utility from IISCrypto, and, while it worked, the settings pushed by the tool locked our a lot of mobile devices and IIS.
 
After a lot of searching, reading the security blogs of many different SSL/TLS experts, and looking at lots of recommendations for CIPHERS and SECURITY PROVIDER KEYS, I hit upon the combination shown in the examples below.
 
I'm happy with our current SSL Labs score (click through image for complete report):
 
SSL Labs Score for "securemail.chicagonettech.com" using protocols and ciphers shown below
 

Here's a copy of the CIPHERS we are currently running in SmarterMail on Server 2012:

All "NULL" ciphers, and all ciphers with a strength of less than 128, have been removed from the list.  These recommendations are in accordance with the current recommendations from US CERT, SSL Labs (see the PDF link on the page), and Microsoft TechNet, along with recommendations of various other SSL/TLS security experts.

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
     
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
     
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
     
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
     
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
     
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
     
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
     
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
     
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
     
  • TLS_RSA_WITH_AES_256_CBC_SHA256
     
  • TLS_RSA_WITH_AES_256_CBC_SHA
     
  • TLS_RSA_WITH_AES_128_CBC_SHA256
     
  • TLS_RSA_WITH_AES_128_CBC_SHA
     
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
 

Here's a copy of the actual CIPHERS we have loaded in our registry on our Windows 2012 / SmarterMail 13.3.3 server:

This can be copied into a TXT file, renamed to .REG and, when it is clicked on, the contents will REPLACE everything that's in the "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration" key in the registry.
 
DON'T FORGET TO BACKUP YOUR ORIGINAL REGISTRY FIRST and REBOOT after the import!
 
You can also download this file and then directly import it into your registry.
 
The file you download will be a ".TXT" file.  Rename the extension to ".REG", click on it and directly import it into your registry.  Use this link.  The file access password is "SmarterMail" (case sensitive).
 
Remember to BACKUP your registry first and REBOOT after importing the file.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
Here's a copy of the actual SECURITY PROVIDERS keys we have loaded in our registry on our Windows 2012 / SmarterMail 13.3.3 server:
 
The file in the "code" window below is the actual set of SECURITY PROVIDERS we are currently running.  Again, all recommendations, except the removal of TLS 1.0, have been implemented.  TLS 1.0 was allowed to remain in to provide compatibility with PRE Andriod 4.4 devices, as well as other devices, which cannot support TLS 1.2 and 1.3.
 
This can be copied into a TXT file, renamed to .REG and, when it is clicked on, the contents will REPLACE everything that's in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders" key in the registry.
 
DON'T FORGET TO BACKUP YOUR ORIGINAL REGISTRY FIRST and REBOOT after the import!
 
You can also download this file and then directly import it into your registry.
 
The file you download will be a ".TXT" file.  Rename the extension to ".REG", click on it and directly import it into your registry.  Use this link.  The file access password is "SmarterMail" (case sensitive).
 
Remember to BACKUP your registry first and REBOOT after importing the file.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SaslProfiles]
"GSSAPI"="Kerberos"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RSA 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest]
"UTF8SASL"=dword:00000001
"Debuglevel"=dword:00000000
"UTF8HTTP"=dword:00000001
"Negotiate"=dword:00000001
"DigestEncryptionAlgorithms"="3des,rc4"
There may be other CIPHERS and PROTOCOLS which can be added, and others may have other suggestions.  I am open to hearing them, but, as I said, happy with the current situation, knowing the risks of having TLS 1.0 open.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Colin M Replied
Thanks for the great post, Bruce!
0
David Jamell Replied
The links to the downloadable files don't seem to work.
0
Bruce Barnes Replied
Here's a link to the downloads.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Mike Ingram Replied
Any chance you can send me the files to download. I can not seem to get them to work on your site and this post does not have them? Thank you for the great post!!
0
Bruce Barnes Replied
Send me your e-mail address: support@chicagonettech.com
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread