[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Allowing both 40 bit and 128 bit SSL on IIS7

Posted on 2009-07-01
Medium Priority
Last Modified: 2012-05-07
This may sound like a dumb question but I'm confused and done a lot of googling so it's time to ask the "experts".   I'm configuring IIS7 for SSL and have purchased an SSL certificate with a key length of 2048 bits.    I want to accept both SSL and regular http (non-SSL) traffic so I have NOT checked the IIS config box of "require SSL".   So far I can accept both encrypted and non-encrypted connections as desired.   Also I want to accept both 40 bit and 128 bit client encryption to insure compatibility with older browsers (we're a library).   But I can't find any way to enable 40 bit encryption in the IIS configuration.    Do I need a separate certificate for 40 bit?   I assumed the one SSL certificate would handle all desired encryption strengths but in my one test of an old IE 40 bit only browser, it would not connect.  I'm hoping this is just a configuration change in IIS.    Thanks.    
Question by:gsee011198
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 31

Expert Comment

ID: 24763283
Three things on this:

1) 40 bit encryption is enabled by default.  As long as you don't force 128 bit usage or chop out the lower algorithms from the registry you're fine.  Lower-than-128-bit browsers will negotiate the server down until they find the best they can do.

2) All browsers have been 128 bit for almost a decade now.  Does your library have 3rd party rules to adhere to that states you must have 40 bit?  40 bit sessios can be hacked in a short enough period of time that the session can be realistically compromised.  It is not considered secure.  Actually, due to privacy concerns, the current trend is to not allow for SSL version 2 or SSL algorithms lower than 128 bit.

3) You might instead consider looking at an "SGC" (Server Gated Cryptography) certificate, sometimes also referred to as a 'step-up' certificate.  Basically, it allows non-128 bit browsers to step up to support the 128 bit algrorithm that the server prefers.  This is also now being used to step-up 128 bit browsers to 256 bit sessions in cases where the server can support that.  I won't go into details on how this works, but this is probably your best option to actually protect the security of your customers.

Having a 2048 cert is a good thing to protect the integrity of the private key.  Your 2048 certificate is probably not an SGC cert - these cost a bit more and not all vendors offer them, but plenty do.  I think GoDaddy does, I know Comodo and Verisign do.  Also, consider the privacy concerns about not forcing SSL on certain sensitive pages, like logon pages and pages that contain PII.  This can be specified per page in IIS or a number of other methods like in a host header and are well documented.

Author Comment

ID: 24765747
Thanks Paranormastic for the detailed response.     The web available data from our library is only name and address plus books checked out -- nothing financial so that's why we are not overly concerned about encryption level.    One question -- when a library tested with an old version of IE5.0 with only 40 bit encryption, it could not connect.   As soon as they upgraded to an old IE with 128 bit encryption, they could connect.   This lead me to think that we could not accept 40 bit connection requests  -- do you have any additional ideas on this?   From what you said, it seems that our new cert should handle both 40 bit and 128 bit by default.

Thanks again Paranormastic.
LVL 31

Accepted Solution

Paranormastic earned 750 total points
ID: 24818033
Does this also include their password?  That would be my main concern.  Name and address is public information (it's in the phone book) so wouldn't be a main concern, and tying that in with a book I don't think would change the level to become PII.  The password is a different story as most users tend to use the same password (or a couple passwords) for all the sites that require them.

Also double check the browser was set to support SSL v3.0 and not just SSL v2.0.  SSL v2.0 is disabled by default in 2008.  Enabling support for v2 would be bad - it has been considered invalid for many years now - v3 has been around for over 10 years but I forget offhand if it was actually enabled by default.

Either way, I highly recommend the SGC cert instead of a normal SSL cert if this is a concern - most vendors offer them you just might not see them as a front page ad.  It truly is the best solution.

Author Closing Comment

ID: 31599062
Other related issues make this hard to solve cleanly.    Paranormastic gave a thorough and logical answer.

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question