• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 133
  • Last Modified:

SSL vs TLS ?

I currently run a classic ASP application. We use an SSL certificate but we will change to TLS. How does this work and will the application run just fine under TLS ?
0
Aleks
Asked:
Aleks
  • 4
  • 3
1 Solution
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> We use an SSL certificate but we will change to TLS.
This is where terminology gets us in trouble.  You really have a signed certificate which you use for SSL.  Depending on what extensions are permitted on that certificate, you could do a lot of different things with the certificate, but the certificate is materially the same.  Assuming the certificate is a 2048 bits rather than 1024 bits, you should be fine.  (And that's more because everyone is moving to 2048 bits, and 1024 is in the process of being phased out than anything specific to the move from SSL to TLS.)

> How does this work and will the application run just fine under TLS ?

The client and server will negotiate a compatible protocol.  Once you've disabled the SSL protocols on the server, assuming the client and server can negotiate a compatible protocol, everything should be fine*.  (The only time I've ever had a problem was getting a Windows XP machine to talk to a locked down Windows 2012 R2 web server... but the XP machine didn't have the necessary protocols.)

*I'd still test it in a test instance.  I can't think of an application which would care about the transport... but if my job depended on it, I'd still test it first if I could.
0
 
AleksAuthor Commented:
Thanks !
0
 
AleksAuthor Commented:
Can you provide instructions on how to disable SSL so it only uses TLS to negotiate with the clients when they connect ?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I can direct you to the Microsoft Instructions to disable SSL, which give detailed instructions on disabling SSL via registry changes, or has a "Fixit" wizard which you can run on your system.  That said, I've heard from some folks that the wizard fails on some systems, and the manual instructions there only specify PCT.

Backup your registry before you start.

Microsoft provided similar instructions last October, when the Poodle vulnerability was making the news.  These instructions specify SSL 3.0... but if you still SSL 2.0 enabled on the server, the same instructions apply to that version... there is a another registry key for SSL 2.0 right next to SSL 3.0 in the registry.  Quoting from those instructions:
"Disable SSL 3.0 in Windows
For Server Software

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1.  Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2.  In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
    3.  On the Edit menu, click Add Value.
    4.  In the Data Type list, click DWORD.
    5.  In the Value Name box, type Enabled, and then click OK.

    Note If this value is present, double-click the value to edit its current value.
    6.  In the Edit DWORD (32-bit) Value dialog box, type 0 .
    7.  Click OK. Restart the computer.

Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server."
0
 
AleksAuthor Commented:
Thanks for the information, very useful. Once last thing:  Which clients would only rely on SSL3 ?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I'm assume you are asking how old a client would have to be to not have an available protocol to successfully negotiate with your server if you were to disable SSL 2.0 and SSL 3.0.  (Because, I can't think of anything which would rely exclusively on SSL 3.0.)

Internet Explorer older than 6, which would, in general, be Windows XP or Server 2003 that never upgraded their browser.
Opera older than 4.

TLS 1.0 is on it's way out too.  When that is disabled, Google Chrome below 22, Firefox below 27, IE below 11, Opera below 14, Safari below 7, and several other browsers could have problems.  (In a lot of those, TLS > 1.0 is possibly available, but not by default.)
0
 
AleksAuthor Commented:
Thanks, wonderful information !!!
0
 
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now