Solved

SSL 3.0 vunerability and how to handle this issue?

Posted on 2014-11-07
5
316 Views
Last Modified: 2014-11-10
Windows Server 2003 and 2008 R2.  I am getting a message from my network security folks saying this.
McAfee is currently unaware of a vendor-supplied patch or update (2014-10-24).
The following workaround can be used to mitigate this issue:
Disable SSL 3.0 and/or CBC-mode ciphers in SSLv3.

I have all my ciphers set to '0" but not sure what CBC-mode means?  Can some clarify this.  The other option is to upgrade to TLS.  I sure would like to just disable the ciphers if possible.  I am not sure if the TLS works on all browsers.

Can someone please explain disable CBC-mode ciphers and give me direction on how to upgrade  to TSL and if there will be folks who's browsers wont' work with TLS?
0
Comment
Question by:kdschool
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 81

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40428545
CBC cypher block chaining. All but Windows XP IE 8 support TLS
set-perfectFSecutity.ps1.txt
0
 

Author Comment

by:kdschool
ID: 40428580
It looks like on the 2008R2 server TLS 1.0 was already enabled in the registry.  So I disabled SSL 3.0 and rebooted the server and my security is working fine.  I noticed it says DWORD instead of QWORD. Should I be using QWORD for the TLS 1.0?    Should I add any ciphers for TLS 1.0?
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40428610
check your site with ssllabs.com to be sure
0
 

Author Comment

by:kdschool
ID: 40428629
It's inside the firewall so I can't use that tool.  Is there something safe I can download
0
 

Author Comment

by:kdschool
ID: 40429092
Is there any other way I can confirm the changes are effective.  I disabled the SSL 3.0 in the registry and I enabled the TLS 1.0.  Then rebooted the server.  Would just like to confirm it's working correclty before they scan me again.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question