Disable TLS/SSL support for 3DES cipher suite

Is there an easy way to disable TLS/SSL support for 3DES cipher suite in Windows Server 2012 R2?
Susan JenssenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
In 2012 iis config you have to disable ciphers. In prior versions, using registry editors schannel,cipher is where you would disable the protocols you do not want and the same applies to ciphers.


In iis, site config check the SSL ....

Let me check which, and I'll post an updated comment.

There is an SSL labs site that can help you check/verify the secure connections offered if not mistaken the site includes references on how to disable the unwanted options/settings.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
Here is the reference/s https://social.technet.microsoft.com/Forums/windowsserver/en-US/a3a3d1e3-95f8-481a-8cef-42e386464be5/how-to-disable-sslv2-and-weak-ciphers-in-windows-2008-iis-70?forum=windowsserver2008r2webtechnologies which includes various as well as the reference to the registry changes.

Use ssllabs.con to test your URL after changes/restart of iis site you are testing.
Application /service restart, I think you do not need to reboot.
0
btanExec ConsultantCommented:
You can try iiscrypto tool and there are templates..
it also supports pre-defined templates that can be set with a single button click:

PCI. Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH, and PKCS.

FIPS 140-2. – Disables everything except TLS 1.0, TLS 1.1, TLS 1.2, Triple DES 168, AES 128, AES 256, SHA1, DH, and PKCS.

BEAST. The same as PCI, but also reorders the cipher suite.
https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol/amp

You will need to restart the machine for it to take effect
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

gheistCommented:
I would wait for official vendor patch (in couple of weeks aka patch wednesday+ you reboot then anyway) to:
* Force renegotiation of 3DES connections from server side (curing CVE-2016-2183 in a way similar to OpenSSL or any latest web browser)
* Enable flip switch in registry to dump DES just like SSLv3
Probably you dont want to disable client-side 3DES on the spot, because sometimes you must connect to legacy devices where that one is fitted with TLS 1.0 to provide any encryption.
On the bright side - do you have huge files on your site to make connections live over 4GB?
0
btanExec ConsultantCommented:
There is a best practice cipher list which you can try on staging as the order of preference will go for most secure if supported. Otherwise remove the 3DES from the ordering.
Windows Server 2012 R2 and lower:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
https://www.nartac.com/Support/IISCrypto/FAQ
0
gr8gonzoConsultantCommented:
Everyone above has been talking about IIS, but you have the Apache zone tagged, so just in case you're talking about Apache running on Windows, the answer is to update the SSL section of your httpd.conf file (sometimes it's all in a separate .conf file).

Basically, you should turn off SSLv2 and SSLv3 and TLS v1.0 (if you're trying to stay PCI compliant):
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Open in new window


And then you can specify the ciphers that you want to allow:
SSLCipherSuite RSA:!EXP:!NULL:!HIGH:!MEDIUM:!LOW

Open in new window


The above starts with all the RSA-type ciphers and then excludes weaker ciphers by prefixing them with the ! mark. The "HIGH" keyword represents all 3DES ciphers, so !HIGH removes all 3DES ciphers from the original list.

You can also specify specific ciphers you want or don't want - the shorter version uses aliases, which are defined in the mod_ssl documentation:
https://httpd.apache.org/docs/current/mod/mod_ssl.html

Then make sure you finish off the configuration with:
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

Open in new window

0
btanExec ConsultantCommented:
This has a list of the configuration
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
https://cipherli.st/
0
gheistCommented:
Just append :!3DES
to cipher spec and it is gone for good.
0
ArneLoviusCommented:
+1 for iiscrypto
0
gr8gonzoConsultantCommented:
Just adding a final comment here for the sake of determining how to close the question. I don't think we can accurately pick any one particular comment unless the question's author first clarifies whether he's asking about Apache or IIS. If we need to close the question without that information, then I'd recommend an even split across all the comments, since there's value in each one.
1
btanExec ConsultantCommented:
As per advised by experts.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.