Solved

Disable TLS/SSL support for 3DES cipher suite

Posted on 2016-09-29
11
68 Views
Last Modified: 2016-11-02
Is there an easy way to disable TLS/SSL support for 3DES cipher suite in Windows Server 2012 R2?
0
Comment
Question by:Susan Jenssen
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 125 total points (awarded by participants)
Comment Utility
In 2012 iis config you have to disable ciphers. In prior versions, using registry editors schannel,cipher is where you would disable the protocols you do not want and the same applies to ciphers.


In iis, site config check the SSL ....

Let me check which, and I'll post an updated comment.

There is an SSL labs site that can help you check/verify the secure connections offered if not mistaken the site includes references on how to disable the unwanted options/settings.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 125 total points (awarded by participants)
Comment Utility
Here is the reference/s https://social.technet.microsoft.com/Forums/windowsserver/en-US/a3a3d1e3-95f8-481a-8cef-42e386464be5/how-to-disable-sslv2-and-weak-ciphers-in-windows-2008-iis-70?forum=windowsserver2008r2webtechnologies which includes various as well as the reference to the registry changes.

Use ssllabs.con to test your URL after changes/restart of iis site you are testing.
Application /service restart, I think you do not need to reboot.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points (awarded by participants)
Comment Utility
You can try iiscrypto tool and there are templates..
it also supports pre-defined templates that can be set with a single button click:

PCI. Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH, and PKCS.

FIPS 140-2. – Disables everything except TLS 1.0, TLS 1.1, TLS 1.2, Triple DES 168, AES 128, AES 256, SHA1, DH, and PKCS.

BEAST. The same as PCI, but also reorders the cipher suite.
https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol/amp

You will need to restart the machine for it to take effect
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 125 total points (awarded by participants)
Comment Utility
I would wait for official vendor patch (in couple of weeks aka patch wednesday+ you reboot then anyway) to:
* Force renegotiation of 3DES connections from server side (curing CVE-2016-2183 in a way similar to OpenSSL or any latest web browser)
* Enable flip switch in registry to dump DES just like SSLv3
Probably you dont want to disable client-side 3DES on the spot, because sometimes you must connect to legacy devices where that one is fitted with TLS 1.0 to provide any encryption.
On the bright side - do you have huge files on your site to make connections live over 4GB?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points (awarded by participants)
Comment Utility
There is a best practice cipher list which you can try on staging as the order of preference will go for most secure if supported. Otherwise remove the 3DES from the ordering.
Windows Server 2012 R2 and lower:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
https://www.nartac.com/Support/IISCrypto/FAQ
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 125 total points (awarded by participants)
Comment Utility
Everyone above has been talking about IIS, but you have the Apache zone tagged, so just in case you're talking about Apache running on Windows, the answer is to update the SSL section of your httpd.conf file (sometimes it's all in a separate .conf file).

Basically, you should turn off SSLv2 and SSLv3 and TLS v1.0 (if you're trying to stay PCI compliant):
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Open in new window


And then you can specify the ciphers that you want to allow:
SSLCipherSuite RSA:!EXP:!NULL:!HIGH:!MEDIUM:!LOW

Open in new window


The above starts with all the RSA-type ciphers and then excludes weaker ciphers by prefixing them with the ! mark. The "HIGH" keyword represents all 3DES ciphers, so !HIGH removes all 3DES ciphers from the original list.

You can also specify specific ciphers you want or don't want - the shorter version uses aliases, which are defined in the mod_ssl documentation:
https://httpd.apache.org/docs/current/mod/mod_ssl.html

Then make sure you finish off the configuration with:
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

Open in new window

0
 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points (awarded by participants)
Comment Utility
This has a list of the configuration
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
https://cipherli.st/
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 125 total points (awarded by participants)
Comment Utility
Just append :!3DES
to cipher spec and it is gone for good.
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
+1 for iiscrypto
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 125 total points (awarded by participants)
Comment Utility
Just adding a final comment here for the sake of determining how to close the question. I don't think we can accurately pick any one particular comment unless the question's author first clarifies whether he's asking about Apache or IIS. If we need to close the question without that information, then I'd recommend an even split across all the comments, since there's value in each one.
1
 
LVL 61

Expert Comment

by:btan
Comment Utility
As per advised by experts.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now