Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do I Disable SSL3 on 2008R2

Posted on 2014-12-19
15
112 Views
Last Modified: 2015-03-26
I have tried http://support.microsoft.com/KB/187498. but every test I run says SSL3 is still enabled.
0
Comment
Question by:kcfconsulting
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40510414
Powershell script to set security suites and reboot, check with ssl labs
set-oerfect-forward-security.ps1.txt
0
 
LVL 11

Assisted Solution

by:Tej Pratap Shukla ~Dexter
Tej Pratap Shukla ~Dexter earned 167 total points
ID: 40510482
Hello..

Before few days ago i was also facing the same problem. After searching a lot i found the answer that i want to share with you as it will be helpful to you.

Follow the following steps to resolve your problem:-

1) Click Start, click Run, type regedit, and then click OK.

2)In Registry Editor, locate the following registry key/folder:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

4) Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

5) Enter Enabled as the name and hit Enter.

6) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.

8) Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then click Key. Name the new folder Server.

9) Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

10) Enter Enabled as the name and hit Enter.

11) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and Select Modify and enter 0 as the Value data.

13) Restart the computer.

14) Verify that no SSL 2.0 or SSL 3.0 ciphers are available at ServerSniff.net or the Public SSL Server Database
0
 

Author Comment

by:kcfconsulting
ID: 40510732
I already did that as I stated in the question.  Unless I'm missing something, that is what http://support.microsoft.com/KB/187498 says.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40510738
what is the result from ssllabs.com ?
0
 

Author Comment

by:kcfconsulting
ID: 40510740
https://www.ssllabs.com/ssltest/  Tells me nothing about SSL3.  I ran it on a server with SSL3 disabled via the REG keys and all it did was give me a grade of "C".  Then I ran it a server with SSL3 wide open and it gave me a "B".
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40510746
if you click on the ip address it will tell you the results of the test
https://www.ssllabs.com/ssltest/analyze.html?d=sklep.derform.com.pl&s=217.74.73.171
0
 

Author Comment

by:kcfconsulting
ID: 40510853
Duh!   Thanks!  But it still says SSL3 is open.  I have attached the SCHANNEL reg Key as a TXT file.
SCHANNEL.txt
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40511341
Did you run the script I provided and then reboot the machine and then test?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 333 total points
ID: 40511500
If you'd like a way to do it via GUI you can have a look at IIS Crypto which is a free utility that can disable SSLv3: https://www.nartac.com/Products/IISCrypto/Default.aspx

I've used in on many web servers (2008, 2008 R2 and 2012 R2) for some web developer clients and it has worked fine on each occasion. Make sure you obviously right click and select Run as Administrator if you decide to use it.
0
 

Author Comment

by:kcfconsulting
ID: 40511607
I didn't run the script but I provided the reg key.  Is there something the script will do that isn't already there?

I already ran iiscrypto.  That's pretty much what setup the reg key the way it is now.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40512968
Did you restart the server after you made the changes and before you ran the SSLv3 test(s)?

I hope you also at least backed up the registry keys before you made the changes to them? Always do this as best practice so you can revert back to the original settings in case something goes wrong or doesn't work as expected (like it has in this scenario).
0
 

Author Comment

by:kcfconsulting
ID: 40513023
Yes and Yes.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 333 total points
ID: 40513100
Alright, give this a shot: restore from the .reg backup file > reboot > run IIS Crypto as an administrator > disable SSL > reboot > test again using https://poodlebleed.com or https://www.ssllabs.com/ssltest/

If you opt for ssllabs, make sure you clear your browser cache as a precaution.
0
 

Author Comment

by:kcfconsulting
ID: 40513236
I already did that.
0
 

Author Comment

by:kcfconsulting
ID: 40690854
Found the problem.  It was another proccess running on 443 and not IIS.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question