Solved

SSL vs TLS ?

Posted on 2015-02-19
9
86 Views
Last Modified: 2015-03-30
I currently run a classic ASP application. We use an SSL certificate but we will change to TLS. How does this work and will the application run just fine under TLS ?
0
Comment
Question by:amucinobluedot
  • 4
  • 3
9 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40619238
> We use an SSL certificate but we will change to TLS.
This is where terminology gets us in trouble.  You really have a signed certificate which you use for SSL.  Depending on what extensions are permitted on that certificate, you could do a lot of different things with the certificate, but the certificate is materially the same.  Assuming the certificate is a 2048 bits rather than 1024 bits, you should be fine.  (And that's more because everyone is moving to 2048 bits, and 1024 is in the process of being phased out than anything specific to the move from SSL to TLS.)

> How does this work and will the application run just fine under TLS ?

The client and server will negotiate a compatible protocol.  Once you've disabled the SSL protocols on the server, assuming the client and server can negotiate a compatible protocol, everything should be fine*.  (The only time I've ever had a problem was getting a Windows XP machine to talk to a locked down Windows 2012 R2 web server... but the XP machine didn't have the necessary protocols.)

*I'd still test it in a test instance.  I can't think of an application which would care about the transport... but if my job depended on it, I'd still test it first if I could.
0
 

Author Comment

by:amucinobluedot
ID: 40619298
Thanks !
0
 

Author Comment

by:amucinobluedot
ID: 40619299
Can you provide instructions on how to disable SSL so it only uses TLS to negotiate with the clients when they connect ?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 40619355
I can direct you to the Microsoft Instructions to disable SSL, which give detailed instructions on disabling SSL via registry changes, or has a "Fixit" wizard which you can run on your system.  That said, I've heard from some folks that the wizard fails on some systems, and the manual instructions there only specify PCT.

Backup your registry before you start.

Microsoft provided similar instructions last October, when the Poodle vulnerability was making the news.  These instructions specify SSL 3.0... but if you still SSL 2.0 enabled on the server, the same instructions apply to that version... there is a another registry key for SSL 2.0 right next to SSL 3.0 in the registry.  Quoting from those instructions:
"Disable SSL 3.0 in Windows
For Server Software

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1.  Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2.  In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
    3.  On the Edit menu, click Add Value.
    4.  In the Data Type list, click DWORD.
    5.  In the Value Name box, type Enabled, and then click OK.

    Note If this value is present, double-click the value to edit its current value.
    6.  In the Edit DWORD (32-bit) Value dialog box, type 0 .
    7.  Click OK. Restart the computer.

Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server."
0
 

Author Comment

by:amucinobluedot
ID: 40619546
Thanks for the information, very useful. Once last thing:  Which clients would only rely on SSL3 ?
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40619596
I'm assume you are asking how old a client would have to be to not have an available protocol to successfully negotiate with your server if you were to disable SSL 2.0 and SSL 3.0.  (Because, I can't think of anything which would rely exclusively on SSL 3.0.)

Internet Explorer older than 6, which would, in general, be Windows XP or Server 2003 that never upgraded their browser.
Opera older than 4.

TLS 1.0 is on it's way out too.  When that is disabled, Google Chrome below 22, Firefox below 27, IE below 11, Opera below 14, Safari below 7, and several other browsers could have problems.  (In a lot of those, TLS > 1.0 is possibly available, but not by default.)
0
 

Author Comment

by:amucinobluedot
ID: 40619939
Thanks, wonderful information !!!
0
 
LVL 33

Expert Comment

by:Big Monty
ID: 40695576
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question