Solved

SSL vs TLS ?

Posted on 2015-02-19
9
94 Views
Last Modified: 2015-03-30
I currently run a classic ASP application. We use an SSL certificate but we will change to TLS. How does this work and will the application run just fine under TLS ?
0
Comment
Question by:amucinobluedot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40619238
> We use an SSL certificate but we will change to TLS.
This is where terminology gets us in trouble.  You really have a signed certificate which you use for SSL.  Depending on what extensions are permitted on that certificate, you could do a lot of different things with the certificate, but the certificate is materially the same.  Assuming the certificate is a 2048 bits rather than 1024 bits, you should be fine.  (And that's more because everyone is moving to 2048 bits, and 1024 is in the process of being phased out than anything specific to the move from SSL to TLS.)

> How does this work and will the application run just fine under TLS ?

The client and server will negotiate a compatible protocol.  Once you've disabled the SSL protocols on the server, assuming the client and server can negotiate a compatible protocol, everything should be fine*.  (The only time I've ever had a problem was getting a Windows XP machine to talk to a locked down Windows 2012 R2 web server... but the XP machine didn't have the necessary protocols.)

*I'd still test it in a test instance.  I can't think of an application which would care about the transport... but if my job depended on it, I'd still test it first if I could.
0
 

Author Comment

by:amucinobluedot
ID: 40619298
Thanks !
0
 

Author Comment

by:amucinobluedot
ID: 40619299
Can you provide instructions on how to disable SSL so it only uses TLS to negotiate with the clients when they connect ?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 40619355
I can direct you to the Microsoft Instructions to disable SSL, which give detailed instructions on disabling SSL via registry changes, or has a "Fixit" wizard which you can run on your system.  That said, I've heard from some folks that the wizard fails on some systems, and the manual instructions there only specify PCT.

Backup your registry before you start.

Microsoft provided similar instructions last October, when the Poodle vulnerability was making the news.  These instructions specify SSL 3.0... but if you still SSL 2.0 enabled on the server, the same instructions apply to that version... there is a another registry key for SSL 2.0 right next to SSL 3.0 in the registry.  Quoting from those instructions:
"Disable SSL 3.0 in Windows
For Server Software

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1.  Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2.  In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
    3.  On the Edit menu, click Add Value.
    4.  In the Data Type list, click DWORD.
    5.  In the Value Name box, type Enabled, and then click OK.

    Note If this value is present, double-click the value to edit its current value.
    6.  In the Edit DWORD (32-bit) Value dialog box, type 0 .
    7.  Click OK. Restart the computer.

Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server."
0
 

Author Comment

by:amucinobluedot
ID: 40619546
Thanks for the information, very useful. Once last thing:  Which clients would only rely on SSL3 ?
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40619596
I'm assume you are asking how old a client would have to be to not have an available protocol to successfully negotiate with your server if you were to disable SSL 2.0 and SSL 3.0.  (Because, I can't think of anything which would rely exclusively on SSL 3.0.)

Internet Explorer older than 6, which would, in general, be Windows XP or Server 2003 that never upgraded their browser.
Opera older than 4.

TLS 1.0 is on it's way out too.  When that is disabled, Google Chrome below 22, Firefox below 27, IE below 11, Opera below 14, Safari below 7, and several other browsers could have problems.  (In a lot of those, TLS > 1.0 is possibly available, but not by default.)
0
 

Author Comment

by:amucinobluedot
ID: 40619939
Thanks, wonderful information !!!
0
 
LVL 33

Expert Comment

by:Big Monty
ID: 40695576
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question