Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Disable TLS/SSL support for 3DES cipher suite

Posted on 2016-09-29
11
Medium Priority
?
5,467 Views
Last Modified: 2016-11-02
Is there an easy way to disable TLS/SSL support for 3DES cipher suite in Windows Server 2012 R2?
0
Comment
Question by:Susan Jenssen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 80

Accepted Solution

by:
arnold earned 500 total points (awarded by participants)
ID: 41822855
In 2012 iis config you have to disable ciphers. In prior versions, using registry editors schannel,cipher is where you would disable the protocols you do not want and the same applies to ciphers.


In iis, site config check the SSL ....

Let me check which, and I'll post an updated comment.

There is an SSL labs site that can help you check/verify the secure connections offered if not mistaken the site includes references on how to disable the unwanted options/settings.
0
 
LVL 80

Assisted Solution

by:arnold
arnold earned 500 total points (awarded by participants)
ID: 41822858
Here is the reference/s https://social.technet.microsoft.com/Forums/windowsserver/en-US/a3a3d1e3-95f8-481a-8cef-42e386464be5/how-to-disable-sslv2-and-weak-ciphers-in-windows-2008-iis-70?forum=windowsserver2008r2webtechnologies which includes various as well as the reference to the registry changes.

Use ssllabs.con to test your URL after changes/restart of iis site you are testing.
Application /service restart, I think you do not need to reboot.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41822930
You can try iiscrypto tool and there are templates..
it also supports pre-defined templates that can be set with a single button click:

PCI. Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH, and PKCS.

FIPS 140-2. – Disables everything except TLS 1.0, TLS 1.1, TLS 1.2, Triple DES 168, AES 128, AES 256, SHA1, DH, and PKCS.

BEAST. The same as PCI, but also reorders the cipher suite.
https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol/amp

You will need to restart the machine for it to take effect
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 62

Assisted Solution

by:gheist
gheist earned 500 total points (awarded by participants)
ID: 41822966
I would wait for official vendor patch (in couple of weeks aka patch wednesday+ you reboot then anyway) to:
* Force renegotiation of 3DES connections from server side (curing CVE-2016-2183 in a way similar to OpenSSL or any latest web browser)
* Enable flip switch in registry to dump DES just like SSLv3
Probably you dont want to disable client-side 3DES on the spot, because sometimes you must connect to legacy devices where that one is fitted with TLS 1.0 to provide any encryption.
On the bright side - do you have huge files on your site to make connections live over 4GB?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41823014
There is a best practice cipher list which you can try on staging as the order of preference will go for most secure if supported. Otherwise remove the 3DES from the ordering.
Windows Server 2012 R2 and lower:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
https://www.nartac.com/Support/IISCrypto/FAQ
0
 
LVL 35

Assisted Solution

by:gr8gonzo
gr8gonzo earned 500 total points (awarded by participants)
ID: 41823564
Everyone above has been talking about IIS, but you have the Apache zone tagged, so just in case you're talking about Apache running on Windows, the answer is to update the SSL section of your httpd.conf file (sometimes it's all in a separate .conf file).

Basically, you should turn off SSLv2 and SSLv3 and TLS v1.0 (if you're trying to stay PCI compliant):
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Open in new window


And then you can specify the ciphers that you want to allow:
SSLCipherSuite RSA:!EXP:!NULL:!HIGH:!MEDIUM:!LOW

Open in new window


The above starts with all the RSA-type ciphers and then excludes weaker ciphers by prefixing them with the ! mark. The "HIGH" keyword represents all 3DES ciphers, so !HIGH removes all 3DES ciphers from the original list.

You can also specify specific ciphers you want or don't want - the shorter version uses aliases, which are defined in the mod_ssl documentation:
https://httpd.apache.org/docs/current/mod/mod_ssl.html

Then make sure you finish off the configuration with:
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

Open in new window

0
 
LVL 65

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41823766
This has a list of the configuration
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
https://cipherli.st/
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 500 total points (awarded by participants)
ID: 41823863
Just append :!3DES
to cipher spec and it is gone for good.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41824020
+1 for iiscrypto
0
 
LVL 35

Assisted Solution

by:gr8gonzo
gr8gonzo earned 500 total points (awarded by participants)
ID: 41844164
Just adding a final comment here for the sake of determining how to close the question. I don't think we can accurately pick any one particular comment unless the question's author first clarifies whether he's asking about Apache or IIS. If we need to close the question without that information, then I'd recommend an even split across all the comments, since there's value in each one.
1
 
LVL 65

Expert Comment

by:btan
ID: 41869836
As per advised by experts.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question