We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Allowing both 40 bit and 128 bit SSL on IIS7

gsee011198
gsee011198 asked
on
Medium Priority
775 Views
Last Modified: 2012-05-07
This may sound like a dumb question but I'm confused and done a lot of googling so it's time to ask the "experts".   I'm configuring IIS7 for SSL and have purchased an SSL certificate with a key length of 2048 bits.    I want to accept both SSL and regular http (non-SSL) traffic so I have NOT checked the IIS config box of "require SSL".   So far I can accept both encrypted and non-encrypted connections as desired.   Also I want to accept both 40 bit and 128 bit client encryption to insure compatibility with older browsers (we're a library).   But I can't find any way to enable 40 bit encryption in the IIS configuration.    Do I need a separate certificate for 40 bit?   I assumed the one SSL certificate would handle all desired encryption strengths but in my one test of an old IE 40 bit only browser, it would not connect.  I'm hoping this is just a configuration change in IIS.    Thanks.    
Comment
Watch Question

ParanormasticCryptographic Engineer
CERTIFIED EXPERT

Commented:
Three things on this:

1) 40 bit encryption is enabled by default.  As long as you don't force 128 bit usage or chop out the lower algorithms from the registry you're fine.  Lower-than-128-bit browsers will negotiate the server down until they find the best they can do.

2) All browsers have been 128 bit for almost a decade now.  Does your library have 3rd party rules to adhere to that states you must have 40 bit?  40 bit sessios can be hacked in a short enough period of time that the session can be realistically compromised.  It is not considered secure.  Actually, due to privacy concerns, the current trend is to not allow for SSL version 2 or SSL algorithms lower than 128 bit.

3) You might instead consider looking at an "SGC" (Server Gated Cryptography) certificate, sometimes also referred to as a 'step-up' certificate.  Basically, it allows non-128 bit browsers to step up to support the 128 bit algrorithm that the server prefers.  This is also now being used to step-up 128 bit browsers to 256 bit sessions in cases where the server can support that.  I won't go into details on how this works, but this is probably your best option to actually protect the security of your customers.


Having a 2048 cert is a good thing to protect the integrity of the private key.  Your 2048 certificate is probably not an SGC cert - these cost a bit more and not all vendors offer them, but plenty do.  I think GoDaddy does, I know Comodo and Verisign do.  Also, consider the privacy concerns about not forcing SSL on certain sensitive pages, like logon pages and pages that contain PII.  This can be specified per page in IIS or a number of other methods like in a host header and are well documented.
gsee011198Network Engineer

Author

Commented:
Thanks Paranormastic for the detailed response.     The web available data from our library is only name and address plus books checked out -- nothing financial so that's why we are not overly concerned about encryption level.    One question -- when a library tested with an old version of IE5.0 with only 40 bit encryption, it could not connect.   As soon as they upgraded to an old IE with 128 bit encryption, they could connect.   This lead me to think that we could not accept 40 bit connection requests  -- do you have any additional ideas on this?   From what you said, it seems that our new cert should handle both 40 bit and 128 bit by default.

Thanks again Paranormastic.
Cryptographic Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
gsee011198Network Engineer

Author

Commented:
Other related issues make this hard to solve cleanly.    Paranormastic gave a thorough and logical answer.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.