Solved

How do I Disable SSL3 on 2008R2

Posted on 2014-12-19
15
113 Views
Last Modified: 2015-03-26
I have tried http://support.microsoft.com/KB/187498. but every test I run says SSL3 is still enabled.
0
Comment
Question by:kcfconsulting
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40510414
Powershell script to set security suites and reboot, check with ssl labs
set-oerfect-forward-security.ps1.txt
0
 
LVL 11

Assisted Solution

by:Tej Pratap Shukla ~Dexter
Tej Pratap Shukla ~Dexter earned 167 total points
ID: 40510482
Hello..

Before few days ago i was also facing the same problem. After searching a lot i found the answer that i want to share with you as it will be helpful to you.

Follow the following steps to resolve your problem:-

1) Click Start, click Run, type regedit, and then click OK.

2)In Registry Editor, locate the following registry key/folder:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

4) Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

5) Enter Enabled as the name and hit Enter.

6) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.

8) Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then click Key. Name the new folder Server.

9) Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

10) Enter Enabled as the name and hit Enter.

11) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and Select Modify and enter 0 as the Value data.

13) Restart the computer.

14) Verify that no SSL 2.0 or SSL 3.0 ciphers are available at ServerSniff.net or the Public SSL Server Database
0
 

Author Comment

by:kcfconsulting
ID: 40510732
I already did that as I stated in the question.  Unless I'm missing something, that is what http://support.microsoft.com/KB/187498 says.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40510738
what is the result from ssllabs.com ?
0
 

Author Comment

by:kcfconsulting
ID: 40510740
https://www.ssllabs.com/ssltest/  Tells me nothing about SSL3.  I ran it on a server with SSL3 disabled via the REG keys and all it did was give me a grade of "C".  Then I ran it a server with SSL3 wide open and it gave me a "B".
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40510746
if you click on the ip address it will tell you the results of the test
https://www.ssllabs.com/ssltest/analyze.html?d=sklep.derform.com.pl&s=217.74.73.171
0
 

Author Comment

by:kcfconsulting
ID: 40510853
Duh!   Thanks!  But it still says SSL3 is open.  I have attached the SCHANNEL reg Key as a TXT file.
SCHANNEL.txt
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40511341
Did you run the script I provided and then reboot the machine and then test?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 333 total points
ID: 40511500
If you'd like a way to do it via GUI you can have a look at IIS Crypto which is a free utility that can disable SSLv3: https://www.nartac.com/Products/IISCrypto/Default.aspx

I've used in on many web servers (2008, 2008 R2 and 2012 R2) for some web developer clients and it has worked fine on each occasion. Make sure you obviously right click and select Run as Administrator if you decide to use it.
0
 

Author Comment

by:kcfconsulting
ID: 40511607
I didn't run the script but I provided the reg key.  Is there something the script will do that isn't already there?

I already ran iiscrypto.  That's pretty much what setup the reg key the way it is now.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40512968
Did you restart the server after you made the changes and before you ran the SSLv3 test(s)?

I hope you also at least backed up the registry keys before you made the changes to them? Always do this as best practice so you can revert back to the original settings in case something goes wrong or doesn't work as expected (like it has in this scenario).
0
 

Author Comment

by:kcfconsulting
ID: 40513023
Yes and Yes.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 333 total points
ID: 40513100
Alright, give this a shot: restore from the .reg backup file > reboot > run IIS Crypto as an administrator > disable SSL > reboot > test again using https://poodlebleed.com or https://www.ssllabs.com/ssltest/

If you opt for ssllabs, make sure you clear your browser cache as a precaution.
0
 

Author Comment

by:kcfconsulting
ID: 40513236
I already did that.
0
 

Author Comment

by:kcfconsulting
ID: 40690854
Found the problem.  It was another proccess running on 443 and not IIS.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

After having deployed hundreds of thousands of Terminal Services seats worldwide, I still see all the time people asking me that same old question: "If TS/RDS is that reliable why are you telling me I should reboot it that often? My DC/SQL/Exchange/…
Know what services you can and cannot, should and should not combine on your server.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question