Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5784
  • Last Modified:

Weak Supported Ssl Ciphers Suites

I have a problem with my server and McAfee is stating that I need to resolve this issue, the error message is: "Weak Supported Ssl Ciphers Suites" , the category is "HTTP - General Remote Services"

Has anyone run into this before, if so, how do I resolve it, any input would be much appreciated.
Thanks,
Dan
0
Dan
Asked:
Dan
  • 11
  • 10
  • 4
1 Solution
 
TolomirAdministratorCommented:
0
 
TolomirAdministratorCommented:
In short you need a better / stronger SSL encryption key for your webbased system.


0
 
DanNetwork EngineerAuthor Commented:
Thanks, I'm not a programer, so some of that was foreign to me.  I found this, which I think it's the solution, but since this website is on my main web server, and only web server, I'm reluctant to make any registry settings on the web server.

http://support.microsoft.com/kb/245030/

Thanks
Dan
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
TolomirAdministratorCommented:
Nope, basically you need a new SSL certificate for your webserver.
0
 
DanNetwork EngineerAuthor Commented:
What's wrong with my current certificate?  So you're saying to NOT make any of those registry settings, but to get a new certificate?   McAfee is the one who recomended those changes to the webser.
0
 
TolomirAdministratorCommented:
Ok, what service do you actually provide?

And where did you get that certificate from?
0
 
DanNetwork EngineerAuthor Commented:
The certifiate is from godaddy.com.   The webiste is www.amazingfacts.org

Well, we sell books, Bibles and other materials.  We also provide a lot of free stuff as well that people can download from the website.

I think I have to adjust the registry, I don't think it's with the certificate, I just hate touching the registry as one wrong touch, and I wouldn't even be able to log into it.

I guess I'll  just do what that Microsoft article says.
0
 
TolomirAdministratorCommented:
A certificate might allow 40 bit up to 512 bit encryption.

So either you use a certificate that requires 128 bit minimum or you use that resource from Microsoft to disable 40 bit encryption and allow just better encryption protocols.

The examples in http://support.microsoft.com/kb/245030/ differ just in the use of 3DES (allowed for the non export version)

I would set in the non-export version (with enabled 3des)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff

leave the rest as is.

Save this to a nonexprt.reg file execute (import it) and reboot.then test again.

In case of en error "To return the registry settings to default, delete the SCHANNEL registry key and everything under it. If these registry keys are not present, the Schannel.dll rebuilds the keys when you restart the computer. "

Tolomir




0
 
TolomirAdministratorCommented:
here is my suggestion (rename to .reg)



noneport.txt
0
 
TolomirAdministratorCommented:
it enables 3des, SSL 3 and TLS 1.0 which are all secure.
0
 
DanNetwork EngineerAuthor Commented:
ok, but it says that PCT 1.0 is ued my messaging system and it's telling me to change the schannel key to only allow SSL 3.0, but I don't want to mess up anything with PCT 1.0.
0
 
ParanormasticCryptographic EngineerCommented:
Ok, so when you install a cert, lets say it is a 2048 cert, and turn on SSL.  The 2048 is used to encrypt the communication between client and server to negotiate the SSL strength that each can use and also to set up the shared secret for the symmetric key encryption (i.e. SSL).  After that, then SSL is in play.  The strength of the cert is generally not very important in this - what is important is what the server supports and what the client [browser] supports.

So with an older browser, say IE3, 128bit SSL was not really around yet.  So it used 40 bit SSL if memory serves, as that was the best it could do.  Because of this, Microsoft 'open everything and secure from there' method is to have IIS listen on all valid SSL strengths - it will try to do 128 bit if the client can, but if it can't then it will jump down to whatever the highest the client supports is that IIS support also.

So when you are on the Directory Security tab, just under the Certificates button there is an Edit button - when you click that you can force usage of SSL for a page or entire site.  Once you do that, you can also check the sub-box to force 128-bit SSL.  Doing that will relieve this issue on the server end.

On the browser end, I am not sure of a way in IE to force 128 bit usage - if, theoretically, the server you connected to was using a lower SSL I don't honestly know what would happen - I would hope it would warn you, but it may just jump down automatically.  Now who would be using web hosting software that is over 10 years old, I don't want to know...

Firefox and IE8 will be supporting 256 bit SSL - so if a server can support that it will just happen, otherwise the client will be jumping down to 128 to support the server.  I haven't looked hard in to this, which I should, but again I'm hoping that it will prompt for action to notify the user when this happens, and/or have a configuration setting to handle how to take care of stuff.
0
 
DanNetwork EngineerAuthor Commented:
hey Paranormastic, thanks for the information.  I turend on the 128 bit SSL, but it brought down my site. I had to turn it off, as my webmaster came to me within seconds. I can't turn it on for the entire site as we have a lot of pages that are not secure.  My webmaster said to just turn it on for the SSL web pages, but i have no idea how to do that.  Are you saying that Tolomir's suggestion will not work?
0
 
ParanormasticCryptographic EngineerCommented:
Sorry, didn't mean to down your site like that!  I will try to minimize that for you as best i can.  For turning it on for the whole site, basically every page gets encrypted which == tons of CPU overhead per page load.  Not to mention the users may not be reaching the https: instead of the http:.

Yes, just do that for the pages that need it.  A commond suggestion - this would want to be done in test first so you figure it out, would be to set up a 'secure' site - i.e. a seperate site just for secured transactions (logon pages, etc.) and they all get dumped under that site.  The normal site(s) would redir to the 'secure.domain.com' page and do its thing, whcih then pushes back to the normal site afterwards.  Doing that enables it for that whole site, but nothing unnecessary.  It makes it easer to configure in the long run since yo ucan just dump a new sensitive page under the secure site and its all ready to go.

For the short term, you can go into the properties of that one page and go to the directory security tab there and just force it there.  having it available for the rest of the site isn't a problem, just forcing them to use it is ;)


Tolomir's registry script looks like it would take care of it a totally different way, but is not as visible in the GUI.  It shouldn't hurt to do both.  I prefer checking the box method vs. registry as even if xyz program or some patch or whatever adds or modifies the registry, it does not jeopardize the rest.  However, having it generally gone helps as a backup method in case you forget to check the box.  6 of one, half dozen of the other.
0
 
DanNetwork EngineerAuthor Commented:
ok, so how do you set the secure site for each web page?  Only a few webpages are SSL, most of our site is NOT SSL, so how do I do each individual site?
0
 
DanNetwork EngineerAuthor Commented:
Hey ToloMir,
So the file you included, I saw the registry settings, are those all the ones that the article talks about making?   If I import that file, won't it mess up my entire registry? How do I just add those only, uisng a script, is that possbile?
0
 
DanNetwork EngineerAuthor Commented:
ToloMir,

I saw that in your file, enabled = 00000000, but the MS article says to put 0xffffffff, so is it different?

Thanks.
0
 
DanNetwork EngineerAuthor Commented:
ok, so I just copied the example registry keys from the article, like you did ToloMir, thanks for that, but how do I know which one I need to run, the export or the non-export one?  Then, how do I run it? So if I just import it, that will do the trick? By importing the file, I'm assuming it's only going to change the registry settings in the file.  
0
 
ParanormasticCryptographic EngineerCommented:
This presumes IIS.
- Locate the file you wish to SSL enable
- Properties
- File Security tab
- Edit button under Secure Communication section
- Checkmark Require secure channel (SSL)
- Checkmark Require 128-bit encryption
- OK twice.

If you do not have your cert installed, you will need to do that- I am going to assume you have already done that.  The View Certificate button and Edit button on the File Security tab would be highlighted if this is true, if not and only Server Certificate button is highlighted, then you will need to use that to create the CSR to submit to the CA to get your cert issued.
0
 
DanNetwork EngineerAuthor Commented:
I am using DNN, so 1 file serves all the files for the website.  IT's a content management system, .net nuke, it's database driven and there is not a seperate page for each page in the site, it runs from the database.  So does this mean I need to manually change the registry settings right?  So how do I know if I need to run the exportable version, or the non-exportable version, it doesn't say which one to run in the Microsoft article.
0
 
TolomirAdministratorCommented:
Sorry we live in a different timezone. I'm home now.

I did modify my edited version to allow PCT 1.0

apart from 3des, SSL 3 and TLS 1.0.

"Enabled"=dword:ffffffff <--- enables the setting

"Enabled"=dword:00000000<--- disables the setting

I did directly modify the "non-export.reg" file so the setting should be ok.


attached is the file non-export.reg.txt - rename it to non-export.reg and doubleclick on it (you can open it before in the editor if you like)

Here are more details btw.

http://support.microsoft.com/?scid=187498


---

The server should normally suggest the max encoding starting from strongest to weakest. So a servr with just DES enabled cannot be forced by the client to use 3DES.

---

There seems to be a security risk with PCT see

http://www.securityfocus.com/archive/1/361836

So it might be a good idea to leave it disabled.
---

This is to find out which schannel.dll you are using:
http://support.microsoft.com/kb/255754/de

nonexport.reg.txt
0
 
TolomirAdministratorCommented:
The exportable version comes without 3des. Nothing else is different.

Since 3des is not really used in the internet you can live without.


0
 
TolomirAdministratorCommented:
Although I assume that reg file is a bit outdated since today 3des should be exportable even for the NSA ;-)
0
 
ParanormasticCryptographic EngineerCommented:
Ouch, yea - unless there is some way to specify within your CMS there isn't a great way of doing this that I can think of off the top of my head.  Encrpting everything isn't really an option most people want to consider :)  That being said, there should be a way to do this in DNN.  I'm not sure what version you are using but here's something to look at to see if it might help out on that end:
http://www.snapsis.com/DotNetNuke/Support/tabid/560/forumid/16/postid/6400/view/topic/Default.aspx
0
 
DanNetwork EngineerAuthor Commented:
Thanks, I just manually changed the SSL less than 128 and that fixed it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 11
  • 10
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now