Insufficient Transport Layer Protection - Weak Protocol

Hello, I have a .net application hosted on a shared IIS7 Windows Server 2008 (many applications on that server).
Recently, the webinspect application has revelead the following security issue:

WebInspect has detected support for weak TLS/SSL protocols on server .
The Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol provide a protection mechanism to ensure authenticity, confidentiality and integrity of the data transmitted between a client and web server.

Explanation
Weak TLS/SSL protocols may exhibit any or all of the following properties:
• no protection against man-in-the-middle attacks
• same key used for authentication and encryption
• weak message authentication control
• no protection against TCP connection closing
These properties can allow an attacker to intercept, modify and tamper with sensitive data.

Recommendation
Disable support for weak protocols on the server.
The following protocols supported by the server are weak and should be disabled:
• For IIS, please refer to Microsoft Knowledge Base Articles:
¿ 187498
¿ 245030
¿ Security Guidance for IIS


Can it be fixed at application level, and not at server level, so the other applications are not affected?

Thanks
danielivanov2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
this is the case where web server is establishing the ssl handshake while client initiate it, the vulnerability is at web server end and I see no way to do it at appl unless you do not want https.

it is recommended to fix it rather than avoid it else have a proxy to front the web server to establish the "real" ssl on behalf, most of the application delivery controller (adc) or loadbalancer or free proxy (like squid) can do it, of course the ssl likely to terminate at the proxy end..most of all, it is still at server end since the scan is webinspect simulate as client connecting to web server (req for the page hosted).

There is a pdf you can catch on the best practice deployment, it comes in handy (see the 2.2. Use Secure Protocols)
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.