Solved

How do I Disable SSL3 on 2008R2

Posted on 2014-12-19
15
116 Views
Last Modified: 2015-03-26
I have tried http://support.microsoft.com/KB/187498. but every test I run says SSL3 is still enabled.
0
Comment
Question by:kcfconsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40510414
Powershell script to set security suites and reboot, check with ssl labs
set-oerfect-forward-security.ps1.txt
0
 
LVL 11

Assisted Solution

by:Tej Pratap Shukla ~Dexter
Tej Pratap Shukla ~Dexter earned 167 total points
ID: 40510482
Hello..

Before few days ago i was also facing the same problem. After searching a lot i found the answer that i want to share with you as it will be helpful to you.

Follow the following steps to resolve your problem:-

1) Click Start, click Run, type regedit, and then click OK.

2)In Registry Editor, locate the following registry key/folder:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

4) Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

5) Enter Enabled as the name and hit Enter.

6) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.

8) Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then click Key. Name the new folder Server.

9) Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

10) Enter Enabled as the name and hit Enter.

11) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and Select Modify and enter 0 as the Value data.

13) Restart the computer.

14) Verify that no SSL 2.0 or SSL 3.0 ciphers are available at ServerSniff.net or the Public SSL Server Database
0
 

Author Comment

by:kcfconsulting
ID: 40510732
I already did that as I stated in the question.  Unless I'm missing something, that is what http://support.microsoft.com/KB/187498 says.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40510738
what is the result from ssllabs.com ?
0
 

Author Comment

by:kcfconsulting
ID: 40510740
https://www.ssllabs.com/ssltest/  Tells me nothing about SSL3.  I ran it on a server with SSL3 disabled via the REG keys and all it did was give me a grade of "C".  Then I ran it a server with SSL3 wide open and it gave me a "B".
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40510746
if you click on the ip address it will tell you the results of the test
https://www.ssllabs.com/ssltest/analyze.html?d=sklep.derform.com.pl&s=217.74.73.171
0
 

Author Comment

by:kcfconsulting
ID: 40510853
Duh!   Thanks!  But it still says SSL3 is open.  I have attached the SCHANNEL reg Key as a TXT file.
SCHANNEL.txt
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40511341
Did you run the script I provided and then reboot the machine and then test?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 333 total points
ID: 40511500
If you'd like a way to do it via GUI you can have a look at IIS Crypto which is a free utility that can disable SSLv3: https://www.nartac.com/Products/IISCrypto/Default.aspx

I've used in on many web servers (2008, 2008 R2 and 2012 R2) for some web developer clients and it has worked fine on each occasion. Make sure you obviously right click and select Run as Administrator if you decide to use it.
0
 

Author Comment

by:kcfconsulting
ID: 40511607
I didn't run the script but I provided the reg key.  Is there something the script will do that isn't already there?

I already ran iiscrypto.  That's pretty much what setup the reg key the way it is now.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40512968
Did you restart the server after you made the changes and before you ran the SSLv3 test(s)?

I hope you also at least backed up the registry keys before you made the changes to them? Always do this as best practice so you can revert back to the original settings in case something goes wrong or doesn't work as expected (like it has in this scenario).
0
 

Author Comment

by:kcfconsulting
ID: 40513023
Yes and Yes.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 333 total points
ID: 40513100
Alright, give this a shot: restore from the .reg backup file > reboot > run IIS Crypto as an administrator > disable SSL > reboot > test again using https://poodlebleed.com or https://www.ssllabs.com/ssltest/

If you opt for ssllabs, make sure you clear your browser cache as a precaution.
0
 

Author Comment

by:kcfconsulting
ID: 40513236
I already did that.
0
 

Author Comment

by:kcfconsulting
ID: 40690854
Found the problem.  It was another proccess running on 443 and not IIS.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question