Solved

Weak Supported Ssl Ciphers Suites

Posted on 2008-10-06
25
5,738 Views
Last Modified: 2013-12-09
I have a problem with my server and McAfee is stating that I need to resolve this issue, the error message is: "Weak Supported Ssl Ciphers Suites" , the category is "HTTP - General Remote Services"

Has anyone run into this before, if so, how do I resolve it, any input would be much appreciated.
Thanks,
Dan
0
Comment
Question by:afacts
  • 11
  • 10
  • 4
25 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 22651854
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22651862
In short you need a better / stronger SSL encryption key for your webbased system.


0
 

Author Comment

by:afacts
ID: 22651896
Thanks, I'm not a programer, so some of that was foreign to me.  I found this, which I think it's the solution, but since this website is on my main web server, and only web server, I'm reluctant to make any registry settings on the web server.

http://support.microsoft.com/kb/245030/

Thanks
Dan
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22651974
Nope, basically you need a new SSL certificate for your webserver.
0
 

Author Comment

by:afacts
ID: 22651992
What's wrong with my current certificate?  So you're saying to NOT make any of those registry settings, but to get a new certificate?   McAfee is the one who recomended those changes to the webser.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22652032
Ok, what service do you actually provide?

And where did you get that certificate from?
0
 

Author Comment

by:afacts
ID: 22652143
The certifiate is from godaddy.com.   The webiste is www.amazingfacts.org

Well, we sell books, Bibles and other materials.  We also provide a lot of free stuff as well that people can download from the website.

I think I have to adjust the registry, I don't think it's with the certificate, I just hate touching the registry as one wrong touch, and I wouldn't even be able to log into it.

I guess I'll  just do what that Microsoft article says.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22652165
A certificate might allow 40 bit up to 512 bit encryption.

So either you use a certificate that requires 128 bit minimum or you use that resource from Microsoft to disable 40 bit encryption and allow just better encryption protocols.

The examples in http://support.microsoft.com/kb/245030/ differ just in the use of 3DES (allowed for the non export version)

I would set in the non-export version (with enabled 3des)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff

leave the rest as is.

Save this to a nonexprt.reg file execute (import it) and reboot.then test again.

In case of en error "To return the registry settings to default, delete the SCHANNEL registry key and everything under it. If these registry keys are not present, the Schannel.dll rebuilds the keys when you restart the computer. "

Tolomir




0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22652182
here is my suggestion (rename to .reg)



noneport.txt
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22652198
it enables 3des, SSL 3 and TLS 1.0 which are all secure.
0
 

Author Comment

by:afacts
ID: 22652315
ok, but it says that PCT 1.0 is ued my messaging system and it's telling me to change the schannel key to only allow SSL 3.0, but I don't want to mess up anything with PCT 1.0.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22652325
Ok, so when you install a cert, lets say it is a 2048 cert, and turn on SSL.  The 2048 is used to encrypt the communication between client and server to negotiate the SSL strength that each can use and also to set up the shared secret for the symmetric key encryption (i.e. SSL).  After that, then SSL is in play.  The strength of the cert is generally not very important in this - what is important is what the server supports and what the client [browser] supports.

So with an older browser, say IE3, 128bit SSL was not really around yet.  So it used 40 bit SSL if memory serves, as that was the best it could do.  Because of this, Microsoft 'open everything and secure from there' method is to have IIS listen on all valid SSL strengths - it will try to do 128 bit if the client can, but if it can't then it will jump down to whatever the highest the client supports is that IIS support also.

So when you are on the Directory Security tab, just under the Certificates button there is an Edit button - when you click that you can force usage of SSL for a page or entire site.  Once you do that, you can also check the sub-box to force 128-bit SSL.  Doing that will relieve this issue on the server end.

On the browser end, I am not sure of a way in IE to force 128 bit usage - if, theoretically, the server you connected to was using a lower SSL I don't honestly know what would happen - I would hope it would warn you, but it may just jump down automatically.  Now who would be using web hosting software that is over 10 years old, I don't want to know...

Firefox and IE8 will be supporting 256 bit SSL - so if a server can support that it will just happen, otherwise the client will be jumping down to 128 to support the server.  I haven't looked hard in to this, which I should, but again I'm hoping that it will prompt for action to notify the user when this happens, and/or have a configuration setting to handle how to take care of stuff.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:afacts
ID: 22652586
hey Paranormastic, thanks for the information.  I turend on the 128 bit SSL, but it brought down my site. I had to turn it off, as my webmaster came to me within seconds. I can't turn it on for the entire site as we have a lot of pages that are not secure.  My webmaster said to just turn it on for the SSL web pages, but i have no idea how to do that.  Are you saying that Tolomir's suggestion will not work?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22652827
Sorry, didn't mean to down your site like that!  I will try to minimize that for you as best i can.  For turning it on for the whole site, basically every page gets encrypted which == tons of CPU overhead per page load.  Not to mention the users may not be reaching the https: instead of the http:.

Yes, just do that for the pages that need it.  A commond suggestion - this would want to be done in test first so you figure it out, would be to set up a 'secure' site - i.e. a seperate site just for secured transactions (logon pages, etc.) and they all get dumped under that site.  The normal site(s) would redir to the 'secure.domain.com' page and do its thing, whcih then pushes back to the normal site afterwards.  Doing that enables it for that whole site, but nothing unnecessary.  It makes it easer to configure in the long run since yo ucan just dump a new sensitive page under the secure site and its all ready to go.

For the short term, you can go into the properties of that one page and go to the directory security tab there and just force it there.  having it available for the rest of the site isn't a problem, just forcing them to use it is ;)


Tolomir's registry script looks like it would take care of it a totally different way, but is not as visible in the GUI.  It shouldn't hurt to do both.  I prefer checking the box method vs. registry as even if xyz program or some patch or whatever adds or modifies the registry, it does not jeopardize the rest.  However, having it generally gone helps as a backup method in case you forget to check the box.  6 of one, half dozen of the other.
0
 

Author Comment

by:afacts
ID: 22652961
ok, so how do you set the secure site for each web page?  Only a few webpages are SSL, most of our site is NOT SSL, so how do I do each individual site?
0
 

Author Comment

by:afacts
ID: 22652980
Hey ToloMir,
So the file you included, I saw the registry settings, are those all the ones that the article talks about making?   If I import that file, won't it mess up my entire registry? How do I just add those only, uisng a script, is that possbile?
0
 

Author Comment

by:afacts
ID: 22653065
ToloMir,

I saw that in your file, enabled = 00000000, but the MS article says to put 0xffffffff, so is it different?

Thanks.
0
 

Author Comment

by:afacts
ID: 22653239
ok, so I just copied the example registry keys from the article, like you did ToloMir, thanks for that, but how do I know which one I need to run, the export or the non-export one?  Then, how do I run it? So if I just import it, that will do the trick? By importing the file, I'm assuming it's only going to change the registry settings in the file.  
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22653539
This presumes IIS.
- Locate the file you wish to SSL enable
- Properties
- File Security tab
- Edit button under Secure Communication section
- Checkmark Require secure channel (SSL)
- Checkmark Require 128-bit encryption
- OK twice.

If you do not have your cert installed, you will need to do that- I am going to assume you have already done that.  The View Certificate button and Edit button on the File Security tab would be highlighted if this is true, if not and only Server Certificate button is highlighted, then you will need to use that to create the CSR to submit to the CA to get your cert issued.
0
 

Author Comment

by:afacts
ID: 22653606
I am using DNN, so 1 file serves all the files for the website.  IT's a content management system, .net nuke, it's database driven and there is not a seperate page for each page in the site, it runs from the database.  So does this mean I need to manually change the registry settings right?  So how do I know if I need to run the exportable version, or the non-exportable version, it doesn't say which one to run in the Microsoft article.
0
 
LVL 27

Accepted Solution

by:
Tolomir earned 500 total points
ID: 22653722
Sorry we live in a different timezone. I'm home now.

I did modify my edited version to allow PCT 1.0

apart from 3des, SSL 3 and TLS 1.0.

"Enabled"=dword:ffffffff <--- enables the setting

"Enabled"=dword:00000000<--- disables the setting

I did directly modify the "non-export.reg" file so the setting should be ok.


attached is the file non-export.reg.txt - rename it to non-export.reg and doubleclick on it (you can open it before in the editor if you like)

Here are more details btw.

http://support.microsoft.com/?scid=187498


---

The server should normally suggest the max encoding starting from strongest to weakest. So a servr with just DES enabled cannot be forced by the client to use 3DES.

---

There seems to be a security risk with PCT see

http://www.securityfocus.com/archive/1/361836

So it might be a good idea to leave it disabled.
---

This is to find out which schannel.dll you are using:
http://support.microsoft.com/kb/255754/de

nonexport.reg.txt
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22653759
The exportable version comes without 3des. Nothing else is different.

Since 3des is not really used in the internet you can live without.


0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22653765
Although I assume that reg file is a bit outdated since today 3des should be exportable even for the NSA ;-)
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22654426
Ouch, yea - unless there is some way to specify within your CMS there isn't a great way of doing this that I can think of off the top of my head.  Encrpting everything isn't really an option most people want to consider :)  That being said, there should be a way to do this in DNN.  I'm not sure what version you are using but here's something to look at to see if it might help out on that end:
http://www.snapsis.com/DotNetNuke/Support/tabid/560/forumid/16/postid/6400/view/topic/Default.aspx
0
 

Author Closing Comment

by:afacts
ID: 31503487
Thanks, I just manually changed the SSL less than 128 and that fixed it.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now