Using Internet Information Server 6.0 or 7.0 by implementing the SSL certificate on the websites many administrator forget or don’t know how to restrict the using of low cryptographic algorithms called ciphers which is a big hole in the connection between client and server when making secure connections like https.
to fix the problem on windows system and procedure is not so difficult. I will show you:
- How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
- How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll
Let’s look how to do it on Windows 2003 (in the same way we can fix it on Windows 2008):
Using regedit.exe, make the changes on the following paths:
Disable low protocols
- HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client
- HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
- HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
- HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
in the mentioned links add DWORD with value name “Enabled” and value 00000000
Disable low ciphers
- HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
- HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
- HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
- HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
- HKEY_LOCAL_MACHINES\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
in the mentioned links add DWORD with value name “Enabled” and value 00000000
How to test if the web server use low algorithms
on windows systems, it’s better to install cygwin program which is a *nix environment and run the following commands:
Test low protocol:
curl --verbose --sslv2 https://fqdn:[port]/
Test low cipher:
openssl s_client -connect www.google.com:443 -cipher NULL