Weak Supported Ssl Ciphers Suites

Have you checked this already:

http://www.nessus.org/plugins/index.php?view=single&id=26928

In short you need a better / stronger SSL encryption key for your webbased system.

Thanks, I'm not a programer, so some of that was foreign to me.  I found this, which I think it's the solution, but since this website is on my main web server, and only web server, I'm reluctant to make any registry settings on the web server.

http://support.microsoft.com/kb/245030/

Thanks
Dan

Nope, basically you need a new SSL certificate for your webserver.

What's wrong with my current certificate?  So you're saying to NOT make any of those registry settings, but to get a new certificate?   McAfee is the one who recomended those changes to the webser.

Ok, what service do you actually provide?

And where did you get that certificate from?

The certifiate is from godaddy.com.   The webiste is www.amazingfacts.org

Well, we sell books, Bibles and other materials.  We also provide a lot of free stuff as well that people can download from the website.

I think I have to adjust the registry, I don't think it's with the certificate, I just hate touching the registry as one wrong touch, and I wouldn't even be able to log into it.

I guess I'll  just do what that Microsoft article says.

A certificate might allow 40 bit up to 512 bit encryption.

So either you use a certificate that requires 128 bit minimum or you use that resource from Microsoft to disable 40 bit encryption and allow just better encryption protocols.

The examples in http://support.microsoft.com/kb/245030/ differ just in the use of 3DES (allowed for the non export version)

I would set in the non-export version (with enabled 3des)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff

leave the rest as is.

Save this to a nonexprt.reg file execute (import it) and reboot.then test again.

In case of en error "To return the registry settings to default, delete the SCHANNEL registry key and everything under it. If these registry keys are not present, the Schannel.dll rebuilds the keys when you restart the computer. "

Tolomir

here is my suggestion (rename to .reg)



noneport.txt

it enables 3des, SSL 3 and TLS 1.0 which are all secure.

ok, but it says that PCT 1.0 is ued my messaging system and it's telling me to change the schannel key to only allow SSL 3.0, but I don't want to mess up anything with PCT 1.0.

Ok, so when you install a cert, lets say it is a 2048 cert, and turn on SSL.  The 2048 is used to encrypt the communication between client and server to negotiate the SSL strength that each can use and also to set up the shared secret for the symmetric key encryption (i.e. SSL).  After that, then SSL is in play.  The strength of the cert is generally not very important in this - what is important is what the server supports and what the client [browser] supports.

So with an older browser, say IE3, 128bit SSL was not really around yet.  So it used 40 bit SSL if memory serves, as that was the best it could do.  Because of this, Microsoft 'open everything and secure from there' method is to have IIS listen on all valid SSL strengths - it will try to do 128 bit if the client can, but if it can't then it will jump down to whatever the highest the client supports is that IIS support also.

So when you are on the Directory Security tab, just under the Certificates button there is an Edit button - when you click that you can force usage of SSL for a page or entire site.  Once you do that, you can also check the sub-box to force 128-bit SSL.  Doing that will relieve this issue on the server end.

On the browser end, I am not sure of a way in IE to force 128 bit usage - if, theoretically, the server you connected to was using a lower SSL I don't honestly know what would happen - I would hope it would warn you, but it may just jump down automatically.  Now who would be using web hosting software that is over 10 years old, I don't want to know...

Firefox and IE8 will be supporting 256 bit SSL - so if a server can support that it will just happen, otherwise the client will be jumping down to 128 to support the server.  I haven't looked hard in to this, which I should, but again I'm hoping that it will prompt for action to notify the user when this happens, and/or have a configuration setting to handle how to take care of stuff.

hey Paranormastic, thanks for the information.  I turend on the 128 bit SSL, but it brought down my site. I had to turn it off, as my webmaster came to me within seconds. I can't turn it on for the entire site as we have a lot of pages that are not secure.  My webmaster said to just turn it on for the SSL web pages, but i have no idea how to do that.  Are you saying that Tolomir's suggestion will not work?

Sorry, didn't mean to down your site like that!  I will try to minimize that for you as best i can.  For turning it on for the whole site, basically every page gets encrypted which == tons of CPU overhead per page load.  Not to mention the users may not be reaching the https: instead of the http:.

Yes, just do that for the pages that need it.  A commond suggestion - this would want to be done in test first so you figure it out, would be to set up a 'secure' site - i.e. a seperate site just for secured transactions (logon pages, etc.) and they all get dumped under that site.  The normal site(s) would redir to the 'secure.domain.com' page and do its thing, whcih then pushes back to the normal site afterwards.  Doing that enables it for that whole site, but nothing unnecessary.  It makes it easer to configure in the long run since yo ucan just dump a new sensitive page under the secure site and its all ready to go.

For the short term, you can go into the properties of that one page and go to the directory security tab there and just force it there.  having it available for the rest of the site isn't a problem, just forcing them to use it is ;)


Tolomir's registry script looks like it would take care of it a totally different way, but is not as visible in the GUI.  It shouldn't hurt to do both.  I prefer checking the box method vs. registry as even if xyz program or some patch or whatever adds or modifies the registry, it does not jeopardize the rest.  However, having it generally gone helps as a backup method in case you forget to check the box.  6 of one, half dozen of the other.

ok, so how do you set the secure site for each web page?  Only a few webpages are SSL, most of our site is NOT SSL, so how do I do each individual site?

Hey ToloMir,
So the file you included, I saw the registry settings, are those all the ones that the article talks about making?   If I import that file, won't it mess up my entire registry? How do I just add those only, uisng a script, is that possbile?

ToloMir,

I saw that in your file, enabled = 00000000, but the MS article says to put 0xffffffff, so is it different?

Thanks.

ok, so I just copied the example registry keys from the article, like you did ToloMir, thanks for that, but how do I know which one I need to run, the export or the non-export one?  Then, how do I run it? So if I just import it, that will do the trick? By importing the file, I'm assuming it's only going to change the registry settings in the file.  

This presumes IIS.
- Locate the file you wish to SSL enable
- Properties
- File Security tab
- Edit button under Secure Communication section
- Checkmark Require secure channel (SSL)
- Checkmark Require 128-bit encryption
- OK twice.

If you do not have your cert installed, you will need to do that- I am going to assume you have already done that.  The View Certificate button and Edit button on the File Security tab would be highlighted if this is true, if not and only Server Certificate button is highlighted, then you will need to use that to create the CSR to submit to the CA to get your cert issued.

I am using DNN, so 1 file serves all the files for the website.  IT's a content management system, .net nuke, it's database driven and there is not a seperate page for each page in the site, it runs from the database.  So does this mean I need to manually change the registry settings right?  So how do I know if I need to run the exportable version, or the non-exportable version, it doesn't say which one to run in the Microsoft article.

The exportable version comes without 3des. Nothing else is different.

Since 3des is not really used in the internet you can live without.

Although I assume that reg file is a bit outdated since today 3des should be exportable even for the NSA ;-)

Ouch, yea - unless there is some way to specify within your CMS there isn't a great way of doing this that I can think of off the top of my head.  Encrpting everything isn't really an option most people want to consider :)  That being said, there should be a way to do this in DNN.  I'm not sure what version you are using but here's something to look at to see if it might help out on that end:
http://www.snapsis.com/DotNetNuke/Support/tabid/560/forumid/16/postid/6400/view/topic/Default.aspx

Thanks, I just manually changed the SSL less than 128 and that fixed it.