How to enable / disable cipher suits [Answered]RSS

1 reply

Last post Mar 08, 2012 04:36 AM by lextm

  • How to enable / disable cipher suits

    Mar 07, 2012 11:14 AM|Hermann Wolf|LINK

    I'm trying to modify the default settings for the cipher suits being used by my IIS7, Checked the following  pages:

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030

    http://forums.iis.net/p/1151822/1879690.aspx
    http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

    all pointing to SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL registry keys. In my current Windows installation all the keys like SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server are missing. When I add the key and set Enabled=1 (to endable SSLv2 as I want to check if the key changes anything) basically nothing changes after a reboot.

    Furthermore I also added the key SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 with Enabled=1 and rebooted again bit the SSLScan.exe output is always the same namely:

               ___ ___| |___  ___ __ _ _ __
              / __/ __| / __|/ __/ _` | '_ \
              \__ \__ \ \__ \ (_| (_| | | | |
              |___/___/_|___/\___\__,_|_| |_|

                      Version 1.8.2-win
                 http://www.titania.co.uk
            Copyright Ian Ventura-Whiting 2009
        Compiled against OpenSSL 0.9.8m 25 Feb 2010

    Testing SSL server localhost on port 443

      Supported Server Cipher(s):
        Failed    SSLv2  168 bits  DES-CBC3-MD5
        Failed    SSLv2   56 bits  DES-CBC-MD5
        Failed    SSLv2  128 bits  IDEA-CBC-MD5
        Failed    SSLv2   40 bits  EXP-RC2-CBC-MD5
        Failed    SSLv2  128 bits  RC2-CBC-MD5
        Failed    SSLv2   40 bits  EXP-RC4-MD5
        Failed    SSLv2  128 bits  RC4-MD5
        Failed    SSLv3  256 bits  ADH-AES256-SHA
        Failed    SSLv3  256 bits  DHE-RSA-AES256-SHA
        Failed    SSLv3  256 bits  DHE-DSS-AES256-SHA
        Failed    SSLv3  256 bits  AES256-SHA
        Failed    SSLv3  128 bits  ADH-AES128-SHA
        Failed    SSLv3  128 bits  DHE-RSA-AES128-SHA
        Failed    SSLv3  128 bits  DHE-DSS-AES128-SHA
        Failed    SSLv3  128 bits  AES128-SHA
        Failed    SSLv3  168 bits  ADH-DES-CBC3-SHA
        Failed    SSLv3   56 bits  ADH-DES-CBC-SHA
        Failed    SSLv3   40 bits  EXP-ADH-DES-CBC-SHA
        Failed    SSLv3  128 bits  ADH-RC4-MD5
        Failed    SSLv3   40 bits  EXP-ADH-RC4-MD5
        Failed    SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
        Failed    SSLv3   56 bits  EDH-RSA-DES-CBC-SHA
        Failed    SSLv3   40 bits  EXP-EDH-RSA-DES-CBC-SHA
        Failed    SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
        Failed    SSLv3   56 bits  EDH-DSS-DES-CBC-SHA
        Failed    SSLv3   40 bits  EXP-EDH-DSS-DES-CBC-SHA
        Accepted  SSLv3  168 bits  DES-CBC3-SHA
        Failed    SSLv3   56 bits  DES-CBC-SHA
        Failed    SSLv3   40 bits  EXP-DES-CBC-SHA
        Failed    SSLv3  128 bits  IDEA-CBC-SHA
        Failed    SSLv3   40 bits  EXP-RC2-CBC-MD5
        Accepted  SSLv3  128 bits  RC4-SHA
        Accepted  SSLv3  128 bits  RC4-MD5
        Failed    SSLv3   40 bits  EXP-RC4-MD5
        Failed    SSLv3    0 bits  NULL-SHA
        Failed    SSLv3    0 bits  NULL-MD5
        Failed    TLSv1  256 bits  ADH-AES256-SHA
        Failed    TLSv1  256 bits  DHE-RSA-AES256-SHA
        Failed    TLSv1  256 bits  DHE-DSS-AES256-SHA
        Accepted  TLSv1  256 bits  AES256-SHA
        Failed    TLSv1  128 bits  ADH-AES128-SHA
        Failed    TLSv1  128 bits  DHE-RSA-AES128-SHA
        Failed    TLSv1  128 bits  DHE-DSS-AES128-SHA
        Accepted  TLSv1  128 bits  AES128-SHA
        Failed    TLSv1  168 bits  ADH-DES-CBC3-SHA
        Failed    TLSv1   56 bits  ADH-DES-CBC-SHA
        Failed    TLSv1   40 bits  EXP-ADH-DES-CBC-SHA
        Failed    TLSv1  128 bits  ADH-RC4-MD5
        Failed    TLSv1   40 bits  EXP-ADH-RC4-MD5
        Failed    TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
        Failed    TLSv1   56 bits  EDH-RSA-DES-CBC-SHA
        Failed    TLSv1   40 bits  EXP-EDH-RSA-DES-CBC-SHA
        Failed    TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA
        Failed    TLSv1   56 bits  EDH-DSS-DES-CBC-SHA
        Failed    TLSv1   40 bits  EXP-EDH-DSS-DES-CBC-SHA
        Accepted  TLSv1  168 bits  DES-CBC3-SHA
        Failed    TLSv1   56 bits  DES-CBC-SHA
        Failed    TLSv1   40 bits  EXP-DES-CBC-SHA
        Failed    TLSv1  128 bits  IDEA-CBC-SHA
        Failed    TLSv1   40 bits  EXP-RC2-CBC-MD5
        Accepted  TLSv1  128 bits  RC4-SHA
        Accepted  TLSv1  128 bits  RC4-MD5
        Failed    TLSv1   40 bits  EXP-RC4-MD5
        Failed    TLSv1    0 bits  NULL-SHA
        Failed    TLSv1    0 bits  NULL-MD5

     Can anyome shed some light on that matter, For example I'd like to know:

    - why is my IIS accepting the Ciphers  reported as "Accepted" above (as there are no registry keys)

    - why is my IIS ignoring the registry keys I added?

    The IIS7 is running in Windows 2008 R2 64Bit.

     

    Thanks for your help and advise ...

  • Re: How to enable / disable cipher suits

    Mar 08, 2012 04:36 AM|lextm|LINK

    1. If all SSLv2 ciphers are disabled, even if you tried to enable SSLv2, it won't work. From your SSLScan results, you can see SSLv2 ciphers are indeed disabled.

    2. If you read KB245030 carefully, you will learn several facts: to enable a cipher you need to set Enabled to 0xffffffff.

    Such ciphers are system wide settings, so discussing them here in IIS forum does not always give you all the answers you want. Please try to post to Directory Services forum and see what SSL/TLS experts say,

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads

    Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.