Solved

SSL vs TLS ?

Posted on 2015-02-19
9
70 Views
Last Modified: 2015-03-30
I currently run a classic ASP application. We use an SSL certificate but we will change to TLS. How does this work and will the application run just fine under TLS ?
0
Comment
Question by:amucinobluedot
  • 4
  • 3
9 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40619238
> We use an SSL certificate but we will change to TLS.
This is where terminology gets us in trouble.  You really have a signed certificate which you use for SSL.  Depending on what extensions are permitted on that certificate, you could do a lot of different things with the certificate, but the certificate is materially the same.  Assuming the certificate is a 2048 bits rather than 1024 bits, you should be fine.  (And that's more because everyone is moving to 2048 bits, and 1024 is in the process of being phased out than anything specific to the move from SSL to TLS.)

> How does this work and will the application run just fine under TLS ?

The client and server will negotiate a compatible protocol.  Once you've disabled the SSL protocols on the server, assuming the client and server can negotiate a compatible protocol, everything should be fine*.  (The only time I've ever had a problem was getting a Windows XP machine to talk to a locked down Windows 2012 R2 web server... but the XP machine didn't have the necessary protocols.)

*I'd still test it in a test instance.  I can't think of an application which would care about the transport... but if my job depended on it, I'd still test it first if I could.
0
 

Author Comment

by:amucinobluedot
ID: 40619298
Thanks !
0
 

Author Comment

by:amucinobluedot
ID: 40619299
Can you provide instructions on how to disable SSL so it only uses TLS to negotiate with the clients when they connect ?
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 40619355
I can direct you to the Microsoft Instructions to disable SSL, which give detailed instructions on disabling SSL via registry changes, or has a "Fixit" wizard which you can run on your system.  That said, I've heard from some folks that the wizard fails on some systems, and the manual instructions there only specify PCT.

Backup your registry before you start.

Microsoft provided similar instructions last October, when the Poodle vulnerability was making the news.  These instructions specify SSL 3.0... but if you still SSL 2.0 enabled on the server, the same instructions apply to that version... there is a another registry key for SSL 2.0 right next to SSL 3.0 in the registry.  Quoting from those instructions:
"Disable SSL 3.0 in Windows
For Server Software

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1.  Click Start, click Run, type regedt32 or type regedit, and then click OK.
    2.  In Registry Editor, locate the following registry key:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
    3.  On the Edit menu, click Add Value.
    4.  In the Data Type list, click DWORD.
    5.  In the Value Name box, type Enabled, and then click OK.

    Note If this value is present, double-click the value to edit its current value.
    6.  In the Edit DWORD (32-bit) Value dialog box, type 0 .
    7.  Click OK. Restart the computer.

Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server."
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:amucinobluedot
ID: 40619546
Thanks for the information, very useful. Once last thing:  Which clients would only rely on SSL3 ?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40619596
I'm assume you are asking how old a client would have to be to not have an available protocol to successfully negotiate with your server if you were to disable SSL 2.0 and SSL 3.0.  (Because, I can't think of anything which would rely exclusively on SSL 3.0.)

Internet Explorer older than 6, which would, in general, be Windows XP or Server 2003 that never upgraded their browser.
Opera older than 4.

TLS 1.0 is on it's way out too.  When that is disabled, Google Chrome below 22, Firefox below 27, IE below 11, Opera below 14, Safari below 7, and several other browsers could have problems.  (In a lot of those, TLS > 1.0 is possibly available, but not by default.)
0
 

Author Comment

by:amucinobluedot
ID: 40619939
Thanks, wonderful information !!!
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40695576
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now