Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SSL vs TLS ?

Posted on 2015-02-19
9
Medium Priority
?
121 Views
Last Modified: 2015-03-30
I currently run a classic ASP application. We use an SSL certificate but we will change to TLS. How does this work and will the application run just fine under TLS ?
0
Comment
Question by:amucinobluedot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40619238
> We use an SSL certificate but we will change to TLS.
This is where terminology gets us in trouble.  You really have a signed certificate which you use for SSL.  Depending on what extensions are permitted on that certificate, you could do a lot of different things with the certificate, but the certificate is materially the same.  Assuming the certificate is a 2048 bits rather than 1024 bits, you should be fine.  (And that's more because everyone is moving to 2048 bits, and 1024 is in the process of being phased out than anything specific to the move from SSL to TLS.)

> How does this work and will the application run just fine under TLS ?

The client and server will negotiate a compatible protocol.  Once you've disabled the SSL protocols on the server, assuming the client and server can negotiate a compatible protocol, everything should be fine*.  (The only time I've ever had a problem was getting a Windows XP machine to talk to a locked down Windows 2012 R2 web server... but the XP machine didn't have the necessary protocols.)

*I'd still test it in a test instance.  I can't think of an application which would care about the transport... but if my job depended on it, I'd still test it first if I could.
0
 

Author Comment

by:amucinobluedot
ID: 40619298
Thanks !
0
 

Author Comment

by:amucinobluedot
ID: 40619299
Can you provide instructions on how to disable SSL so it only uses TLS to negotiate with the clients when they connect ?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 30

Accepted Solution

by:
Rich Weissler earned 2000 total points
ID: 40619355
I can direct you to the Microsoft Instructions to disable SSL, which give detailed instructions on disabling SSL via registry changes, or has a "Fixit" wizard which you can run on your system.  That said, I've heard from some folks that the wizard fails on some systems, and the manual instructions there only specify PCT.

Backup your registry before you start.

Microsoft provided similar instructions last October, when the Poodle vulnerability was making the news.  These instructions specify SSL 3.0... but if you still SSL 2.0 enabled on the server, the same instructions apply to that version... there is a another registry key for SSL 2.0 right next to SSL 3.0 in the registry.  Quoting from those instructions:
"Disable SSL 3.0 in Windows
For Server Software

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1.  Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2.  In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
    3.  On the Edit menu, click Add Value.
    4.  In the Data Type list, click DWORD.
    5.  In the Value Name box, type Enabled, and then click OK.

    Note If this value is present, double-click the value to edit its current value.
    6.  In the Edit DWORD (32-bit) Value dialog box, type 0 .
    7.  Click OK. Restart the computer.

Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server."
0
 

Author Comment

by:amucinobluedot
ID: 40619546
Thanks for the information, very useful. Once last thing:  Which clients would only rely on SSL3 ?
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 40619596
I'm assume you are asking how old a client would have to be to not have an available protocol to successfully negotiate with your server if you were to disable SSL 2.0 and SSL 3.0.  (Because, I can't think of anything which would rely exclusively on SSL 3.0.)

Internet Explorer older than 6, which would, in general, be Windows XP or Server 2003 that never upgraded their browser.
Opera older than 4.

TLS 1.0 is on it's way out too.  When that is disabled, Google Chrome below 22, Firefox below 27, IE below 11, Opera below 14, Safari below 7, and several other browsers could have problems.  (In a lot of those, TLS > 1.0 is possibly available, but not by default.)
0
 

Author Comment

by:amucinobluedot
ID: 40619939
Thanks, wonderful information !!!
0
 
LVL 34

Expert Comment

by:Big Monty
ID: 40695576
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question