Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Is there a possibility to enable TLS 1.2 on IIS that will take effect only for specific website (instead the whole server)?

Posted on 2015-02-22
3
Medium Priority
?
172 Views
Last Modified: 2016-05-13
We would like to upgrade our security but have couple of sites and specifically change 1 website on IIS to use TLS 1.2 (without the option of backward compatibility , meaning this specific site wont communicate on SSL3, TLS 1.0 ,  TLS 1.1 ) while the rest of the websites will still use TLS 1.0
0
Comment
Question by:safendsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40624937
It is probably to look into the SNI for SSL binding to the particular website since likely they are hosting same IP and port , the hostname will be used to differentiate and serves out their respective server cert. E.g. client sending the Server Name header in its SSL Client Hello. If this is not supplied in the client TLS negotiation then http.sys will reset the connection.

And if the server cert is of TLS cipher based and SSL negotiation is disabled, maybe it can still be viable. Pls see below too. So far, I have yet to see binding in selective of cipher to specific website unless an application proxy is used to perform that enforcement - e.g. Citrix and F5 application proxy per se

SSL Handshake and HTTPS Bindings on IIS
he client sends the server the hostname it is requesting for as a part of the CLIENT HELLO in the form of TLS EXTENSIONS.
http://blogs.msdn.com/b/kaushal/archive/2013/08/03/ssl-handshake-and-https-bindings-on-iis.aspx

Server Name Indication (SNI) with IIS 8 (Windows Server 2012)
The server checks the registry to find a certificate hash/thumbprint corresponding to the above combination of IP:Port. The server checks the below key to find the combination: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo
http://blogs.msdn.com/b/kaushal/archive/2012/09/04/server-name-indication-sni-in-iis-8-windows-server-2012.aspx
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Objective of This Article In 1990’s, when I was a budding software professional, I had a lot of confusion about which stream or technology, I had to choose to build my career. In those days, I had lot of confusion like whether to choose System so…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
The purpose of this video is to demonstrate how to automatically show related posts at the bottom of a blog post in WordPress. This will be demonstrated using a Windows 8 PC. Plugin “Yet Another Related Posts Plugin” will be used. Go to your…
The purpose of this video is to demonstrate how to add AdSense Ads to a WordPress Website, and how to set up WordPress to automatically place Ads in Sidebars. This will be demonstrated using a Windows 8 PC. Log into your AdSense account. : Cli…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question