• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2182
  • Last Modified:

Missing Registry Key for SSL 3.0

I need to change from SSL 2.0 to SSL 3.0 for a website running inside a DMZ on a Windows 7 box.  (Strange set up, I know, but it is what the business needs require.)  I have read other posts on this subject and the accepted method seems to be the following:

•Open Registry Editor.
•Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
•On the Edit menu select New then DWORD Value
•Name the new value Enabled
•Ensure the value is set to 0
•Restart the server

I have also read this Microsoft article.

http://support.microsoft.com/default.aspx/kb/187498

However, it seems to me that these instructions only take the action of DISABLING 2.0.  In my system there is no key for SSL 3.0.  So, if I disable SSL 2.0 without a key being prsent for SSL 3.0 will the site no longer to be able to function on HTTPS?  Is there a procedure I should follow to get SSL 3.0 installed on a Windows 7 system?

0
Lynn Huff
Asked:
Lynn Huff
1 Solution
 
ParanormasticCryptographic EngineerCommented:
SSL2 is normally disabled on server 2008 / win7, SSL3 is normally enabled.  You can use the above registry to ensure that SSLv2 is disabled.  You can do the same registry changing SSL 3.0\server and set the value to 1 instead of 0 to ensure that SSLv3 is enabled, although you shouldn't have to.

If you are concerned if a particular version works or doesn't, I would suggest using OpenSSL.  This tool is normally used for various certificate things, which SSL requires certs.  You can google openssl download and whatever version of windows you want to install it on for a download link.  It is free opensource and has been around for many years.

Using openssl to connect only with SSLv3 to make sure it is enabled:
%opensslpath%\bin\openssl.exe s_client -host server.domain.com -port 443 -ssl3

can use the same with -ssl2 isntead of -ssl3 to try to connect using SSLv2 to make sure it does not work.
0
 
Lynn HuffAuthor Commented:
I moved this problem to a test environment and went ahead and changed the registry key for SSL 2.0 even though there was no corresponding registry key for SSL 3.0.  The site now uses SSL 3.0 even without a registry key for 3.0.  Not sure why this works, but my problem is solved none the less.
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now