• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8736
  • Last Modified:

Disable TLS/SSL support for 3DES cipher suite

Is there an easy way to disable TLS/SSL support for 3DES cipher suite in Windows Server 2012 R2?
0
Susan Jenssen
Asked:
Susan Jenssen
  • 4
  • 2
  • 2
  • +2
9 Solutions
 
arnoldCommented:
In 2012 iis config you have to disable ciphers. In prior versions, using registry editors schannel,cipher is where you would disable the protocols you do not want and the same applies to ciphers.


In iis, site config check the SSL ....

Let me check which, and I'll post an updated comment.

There is an SSL labs site that can help you check/verify the secure connections offered if not mistaken the site includes references on how to disable the unwanted options/settings.
0
 
arnoldCommented:
Here is the reference/s https://social.technet.microsoft.com/Forums/windowsserver/en-US/a3a3d1e3-95f8-481a-8cef-42e386464be5/how-to-disable-sslv2-and-weak-ciphers-in-windows-2008-iis-70?forum=windowsserver2008r2webtechnologies which includes various as well as the reference to the registry changes.

Use ssllabs.con to test your URL after changes/restart of iis site you are testing.
Application /service restart, I think you do not need to reboot.
0
 
btanExec ConsultantCommented:
You can try iiscrypto tool and there are templates..
it also supports pre-defined templates that can be set with a single button click:

PCI. Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH, and PKCS.

FIPS 140-2. – Disables everything except TLS 1.0, TLS 1.1, TLS 1.2, Triple DES 168, AES 128, AES 256, SHA1, DH, and PKCS.

BEAST. The same as PCI, but also reorders the cipher suite.
https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol/amp

You will need to restart the machine for it to take effect
0
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
gheistCommented:
I would wait for official vendor patch (in couple of weeks aka patch wednesday+ you reboot then anyway) to:
* Force renegotiation of 3DES connections from server side (curing CVE-2016-2183 in a way similar to OpenSSL or any latest web browser)
* Enable flip switch in registry to dump DES just like SSLv3
Probably you dont want to disable client-side 3DES on the spot, because sometimes you must connect to legacy devices where that one is fitted with TLS 1.0 to provide any encryption.
On the bright side - do you have huge files on your site to make connections live over 4GB?
0
 
btanExec ConsultantCommented:
There is a best practice cipher list which you can try on staging as the order of preference will go for most secure if supported. Otherwise remove the 3DES from the ordering.
Windows Server 2012 R2 and lower:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
https://www.nartac.com/Support/IISCrypto/FAQ
0
 
gr8gonzoConsultantCommented:
Everyone above has been talking about IIS, but you have the Apache zone tagged, so just in case you're talking about Apache running on Windows, the answer is to update the SSL section of your httpd.conf file (sometimes it's all in a separate .conf file).

Basically, you should turn off SSLv2 and SSLv3 and TLS v1.0 (if you're trying to stay PCI compliant):
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Open in new window


And then you can specify the ciphers that you want to allow:
SSLCipherSuite RSA:!EXP:!NULL:!HIGH:!MEDIUM:!LOW

Open in new window


The above starts with all the RSA-type ciphers and then excludes weaker ciphers by prefixing them with the ! mark. The "HIGH" keyword represents all 3DES ciphers, so !HIGH removes all 3DES ciphers from the original list.

You can also specify specific ciphers you want or don't want - the shorter version uses aliases, which are defined in the mod_ssl documentation:
https://httpd.apache.org/docs/current/mod/mod_ssl.html

Then make sure you finish off the configuration with:
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

Open in new window

0
 
btanExec ConsultantCommented:
This has a list of the configuration
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
https://cipherli.st/
0
 
gheistCommented:
Just append :!3DES
to cipher spec and it is gone for good.
0
 
ArneLoviusCommented:
+1 for iiscrypto
0
 
gr8gonzoConsultantCommented:
Just adding a final comment here for the sake of determining how to close the question. I don't think we can accurately pick any one particular comment unless the question's author first clarifies whether he's asking about Apache or IIS. If we need to close the question without that information, then I'd recommend an even split across all the comments, since there's value in each one.
1
 
btanExec ConsultantCommented:
As per advised by experts.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 4
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now