Allowing both 40 bit and 128 bit SSL on IIS7

Posted on 2009-07-01
Medium Priority
Last Modified: 2012-05-07
This may sound like a dumb question but I'm confused and done a lot of googling so it's time to ask the "experts".   I'm configuring IIS7 for SSL and have purchased an SSL certificate with a key length of 2048 bits.    I want to accept both SSL and regular http (non-SSL) traffic so I have NOT checked the IIS config box of "require SSL".   So far I can accept both encrypted and non-encrypted connections as desired.   Also I want to accept both 40 bit and 128 bit client encryption to insure compatibility with older browsers (we're a library).   But I can't find any way to enable 40 bit encryption in the IIS configuration.    Do I need a separate certificate for 40 bit?   I assumed the one SSL certificate would handle all desired encryption strengths but in my one test of an old IE 40 bit only browser, it would not connect.  I'm hoping this is just a configuration change in IIS.    Thanks.    
Question by:gsee011198
  • 2
  • 2
LVL 31

Expert Comment

ID: 24763283
Three things on this:

1) 40 bit encryption is enabled by default.  As long as you don't force 128 bit usage or chop out the lower algorithms from the registry you're fine.  Lower-than-128-bit browsers will negotiate the server down until they find the best they can do.

2) All browsers have been 128 bit for almost a decade now.  Does your library have 3rd party rules to adhere to that states you must have 40 bit?  40 bit sessios can be hacked in a short enough period of time that the session can be realistically compromised.  It is not considered secure.  Actually, due to privacy concerns, the current trend is to not allow for SSL version 2 or SSL algorithms lower than 128 bit.

3) You might instead consider looking at an "SGC" (Server Gated Cryptography) certificate, sometimes also referred to as a 'step-up' certificate.  Basically, it allows non-128 bit browsers to step up to support the 128 bit algrorithm that the server prefers.  This is also now being used to step-up 128 bit browsers to 256 bit sessions in cases where the server can support that.  I won't go into details on how this works, but this is probably your best option to actually protect the security of your customers.

Having a 2048 cert is a good thing to protect the integrity of the private key.  Your 2048 certificate is probably not an SGC cert - these cost a bit more and not all vendors offer them, but plenty do.  I think GoDaddy does, I know Comodo and Verisign do.  Also, consider the privacy concerns about not forcing SSL on certain sensitive pages, like logon pages and pages that contain PII.  This can be specified per page in IIS or a number of other methods like in a host header and are well documented.

Author Comment

ID: 24765747
Thanks Paranormastic for the detailed response.     The web available data from our library is only name and address plus books checked out -- nothing financial so that's why we are not overly concerned about encryption level.    One question -- when a library tested with an old version of IE5.0 with only 40 bit encryption, it could not connect.   As soon as they upgraded to an old IE with 128 bit encryption, they could connect.   This lead me to think that we could not accept 40 bit connection requests  -- do you have any additional ideas on this?   From what you said, it seems that our new cert should handle both 40 bit and 128 bit by default.

Thanks again Paranormastic.
LVL 31

Accepted Solution

Paranormastic earned 750 total points
ID: 24818033
Does this also include their password?  That would be my main concern.  Name and address is public information (it's in the phone book) so wouldn't be a main concern, and tying that in with a book I don't think would change the level to become PII.  The password is a different story as most users tend to use the same password (or a couple passwords) for all the sites that require them.

Also double check the browser was set to support SSL v3.0 and not just SSL v2.0.  SSL v2.0 is disabled by default in 2008.  Enabling support for v2 would be bad - it has been considered invalid for many years now - v3 has been around for over 10 years but I forget offhand if it was actually enabled by default.

Either way, I highly recommend the SGC cert instead of a normal SSL cert if this is a concern - most vendors offer them you just might not see them as a front page ad.  It truly is the best solution.

Author Closing Comment

ID: 31599062
Other related issues make this hard to solve cleanly.    Paranormastic gave a thorough and logical answer.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Here are the symptoms: You start receiving calls from users that one of your legacy web apps isn't coming up, so you log into your IIS 5 server to check it out.  When you pull up the services, you notice that the WWW Publishing service isn't runn…
Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…
Watch the video to know the simple way to remove or recover or reset lost or forgotten passwords of Outlook PST file. With Kernel Outlook Password Recovery tool such operation is very easy to perform. It is a freeware with limitation to use with 500…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question