How to disable renegotiation of connections

cjrcomputers
cjrcomputers used Ask the Experts™
on
We had a vulnerability assessment done on our network and one of the messages was "The remote service encrypts traffic using TLS/SSL but allows a client to renegotiate the connection after the initial handshake..." The hosts that came up in the scan were some of our IIS servers.  Does anyone know how to go about disabling renegotiation?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Gary DavisDir Internet Svcs

Commented:
Perhaps the client requested the page using SSL, the page came back and then the client re-requested the same page in non-SSL and the page was returned clear text.
The page that requires https should not also allow http. If entered with http, it should redirect back to itself into https.
Double check your security scan to see what they did to find the vulnerability (the HTTP request).
Gary Davis
 
Whats happening is users browsing to your site over an SSL connection are negotiating a weaker connection than is possible.

You can fix this by forcing your server not to use weak ciphers.  Windows server by default won't use the strongest encryption available, but you can force it to by modifying the registry and rebooting the server afterwards.

Take a backup of your registry, then follow the instructions here:
http://blog.techstacks.com/2008/10/iis-disabling-sslv2-and-weak-ciphers.html

Don't forget to reboot after!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial