Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 209
  • Last Modified:

Is there a possibility to enable TLS 1.2 on IIS that will take effect only for specific website (instead the whole server)?

We would like to upgrade our security but have couple of sites and specifically change 1 website on IIS to use TLS 1.2 (without the option of backward compatibility , meaning this specific site wont communicate on SSL3, TLS 1.0 ,  TLS 1.1 ) while the rest of the websites will still use TLS 1.0
0
safendsupport
Asked:
safendsupport
1 Solution
 
btanExec ConsultantCommented:
It is probably to look into the SNI for SSL binding to the particular website since likely they are hosting same IP and port , the hostname will be used to differentiate and serves out their respective server cert. E.g. client sending the Server Name header in its SSL Client Hello. If this is not supplied in the client TLS negotiation then http.sys will reset the connection.

And if the server cert is of TLS cipher based and SSL negotiation is disabled, maybe it can still be viable. Pls see below too. So far, I have yet to see binding in selective of cipher to specific website unless an application proxy is used to perform that enforcement - e.g. Citrix and F5 application proxy per se

SSL Handshake and HTTPS Bindings on IIS
he client sends the server the hostname it is requesting for as a part of the CLIENT HELLO in the form of TLS EXTENSIONS.
http://blogs.msdn.com/b/kaushal/archive/2013/08/03/ssl-handshake-and-https-bindings-on-iis.aspx

Server Name Indication (SNI) with IIS 8 (Windows Server 2012)
The server checks the registry to find a certificate hash/thumbprint corresponding to the above combination of IP:Port. The server checks the below key to find the combination: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo
http://blogs.msdn.com/b/kaushal/archive/2012/09/04/server-name-indication-sni-in-iis-8-windows-server-2012.aspx
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now