Allowing both 40 bit and 128 bit SSL on IIS7

This may sound like a dumb question but I'm confused and done a lot of googling so it's time to ask the "experts".   I'm configuring IIS7 for SSL and have purchased an SSL certificate with a key length of 2048 bits.    I want to accept both SSL and regular http (non-SSL) traffic so I have NOT checked the IIS config box of "require SSL".   So far I can accept both encrypted and non-encrypted connections as desired.   Also I want to accept both 40 bit and 128 bit client encryption to insure compatibility with older browsers (we're a library).   But I can't find any way to enable 40 bit encryption in the IIS configuration.    Do I need a separate certificate for 40 bit?   I assumed the one SSL certificate would handle all desired encryption strengths but in my one test of an old IE 40 bit only browser, it would not connect.  I'm hoping this is just a configuration change in IIS.    Thanks.    
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
Three things on this:

1) 40 bit encryption is enabled by default.  As long as you don't force 128 bit usage or chop out the lower algorithms from the registry you're fine.  Lower-than-128-bit browsers will negotiate the server down until they find the best they can do.

2) All browsers have been 128 bit for almost a decade now.  Does your library have 3rd party rules to adhere to that states you must have 40 bit?  40 bit sessios can be hacked in a short enough period of time that the session can be realistically compromised.  It is not considered secure.  Actually, due to privacy concerns, the current trend is to not allow for SSL version 2 or SSL algorithms lower than 128 bit.

3) You might instead consider looking at an "SGC" (Server Gated Cryptography) certificate, sometimes also referred to as a 'step-up' certificate.  Basically, it allows non-128 bit browsers to step up to support the 128 bit algrorithm that the server prefers.  This is also now being used to step-up 128 bit browsers to 256 bit sessions in cases where the server can support that.  I won't go into details on how this works, but this is probably your best option to actually protect the security of your customers.

Having a 2048 cert is a good thing to protect the integrity of the private key.  Your 2048 certificate is probably not an SGC cert - these cost a bit more and not all vendors offer them, but plenty do.  I think GoDaddy does, I know Comodo and Verisign do.  Also, consider the privacy concerns about not forcing SSL on certain sensitive pages, like logon pages and pages that contain PII.  This can be specified per page in IIS or a number of other methods like in a host header and are well documented.
gsee011198Author Commented:
Thanks Paranormastic for the detailed response.     The web available data from our library is only name and address plus books checked out -- nothing financial so that's why we are not overly concerned about encryption level.    One question -- when a library tested with an old version of IE5.0 with only 40 bit encryption, it could not connect.   As soon as they upgraded to an old IE with 128 bit encryption, they could connect.   This lead me to think that we could not accept 40 bit connection requests  -- do you have any additional ideas on this?   From what you said, it seems that our new cert should handle both 40 bit and 128 bit by default.

Thanks again Paranormastic.
ParanormasticCryptographic EngineerCommented:
Does this also include their password?  That would be my main concern.  Name and address is public information (it's in the phone book) so wouldn't be a main concern, and tying that in with a book I don't think would change the level to become PII.  The password is a different story as most users tend to use the same password (or a couple passwords) for all the sites that require them.

Also double check the browser was set to support SSL v3.0 and not just SSL v2.0.  SSL v2.0 is disabled by default in 2008.  Enabling support for v2 would be bad - it has been considered invalid for many years now - v3 has been around for over 10 years but I forget offhand if it was actually enabled by default.

Either way, I highly recommend the SGC cert instead of a normal SSL cert if this is a concern - most vendors offer them you just might not see them as a front page ad.  It truly is the best solution.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gsee011198Author Commented:
Other related issues make this hard to solve cleanly.    Paranormastic gave a thorough and logical answer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.