Solved

Disable TLS/SSL support for 3DES cipher suite

Posted on 2016-09-29
11
2,868 Views
Last Modified: 2016-11-02
Is there an easy way to disable TLS/SSL support for 3DES cipher suite in Windows Server 2012 R2?
0
Comment
Question by:Susan Jenssen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 125 total points (awarded by participants)
ID: 41822855
In 2012 iis config you have to disable ciphers. In prior versions, using registry editors schannel,cipher is where you would disable the protocols you do not want and the same applies to ciphers.


In iis, site config check the SSL ....

Let me check which, and I'll post an updated comment.

There is an SSL labs site that can help you check/verify the secure connections offered if not mistaken the site includes references on how to disable the unwanted options/settings.
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 125 total points (awarded by participants)
ID: 41822858
Here is the reference/s https://social.technet.microsoft.com/Forums/windowsserver/en-US/a3a3d1e3-95f8-481a-8cef-42e386464be5/how-to-disable-sslv2-and-weak-ciphers-in-windows-2008-iis-70?forum=windowsserver2008r2webtechnologies which includes various as well as the reference to the registry changes.

Use ssllabs.con to test your URL after changes/restart of iis site you are testing.
Application /service restart, I think you do not need to reboot.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 125 total points (awarded by participants)
ID: 41822930
You can try iiscrypto tool and there are templates..
it also supports pre-defined templates that can be set with a single button click:

PCI. Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH, and PKCS.

FIPS 140-2. – Disables everything except TLS 1.0, TLS 1.1, TLS 1.2, Triple DES 168, AES 128, AES 256, SHA1, DH, and PKCS.

BEAST. The same as PCI, but also reorders the cipher suite.
https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol/amp

You will need to restart the machine for it to take effect
0
Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

 
LVL 62

Assisted Solution

by:gheist
gheist earned 125 total points (awarded by participants)
ID: 41822966
I would wait for official vendor patch (in couple of weeks aka patch wednesday+ you reboot then anyway) to:
* Force renegotiation of 3DES connections from server side (curing CVE-2016-2183 in a way similar to OpenSSL or any latest web browser)
* Enable flip switch in registry to dump DES just like SSLv3
Probably you dont want to disable client-side 3DES on the spot, because sometimes you must connect to legacy devices where that one is fitted with TLS 1.0 to provide any encryption.
On the bright side - do you have huge files on your site to make connections live over 4GB?
0
 
LVL 64

Assisted Solution

by:btan
btan earned 125 total points (awarded by participants)
ID: 41823014
There is a best practice cipher list which you can try on staging as the order of preference will go for most secure if supported. Otherwise remove the 3DES from the ordering.
Windows Server 2012 R2 and lower:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
https://www.nartac.com/Support/IISCrypto/FAQ
0
 
LVL 35

Assisted Solution

by:gr8gonzo
gr8gonzo earned 125 total points (awarded by participants)
ID: 41823564
Everyone above has been talking about IIS, but you have the Apache zone tagged, so just in case you're talking about Apache running on Windows, the answer is to update the SSL section of your httpd.conf file (sometimes it's all in a separate .conf file).

Basically, you should turn off SSLv2 and SSLv3 and TLS v1.0 (if you're trying to stay PCI compliant):
SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Open in new window


And then you can specify the ciphers that you want to allow:
SSLCipherSuite RSA:!EXP:!NULL:!HIGH:!MEDIUM:!LOW

Open in new window


The above starts with all the RSA-type ciphers and then excludes weaker ciphers by prefixing them with the ! mark. The "HIGH" keyword represents all 3DES ciphers, so !HIGH removes all 3DES ciphers from the original list.

You can also specify specific ciphers you want or don't want - the shorter version uses aliases, which are defined in the mod_ssl documentation:
https://httpd.apache.org/docs/current/mod/mod_ssl.html

Then make sure you finish off the configuration with:
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

Open in new window

0
 
LVL 64

Assisted Solution

by:btan
btan earned 125 total points (awarded by participants)
ID: 41823766
This has a list of the configuration
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
https://cipherli.st/
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 125 total points (awarded by participants)
ID: 41823863
Just append :!3DES
to cipher spec and it is gone for good.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41824020
+1 for iiscrypto
0
 
LVL 35

Assisted Solution

by:gr8gonzo
gr8gonzo earned 125 total points (awarded by participants)
ID: 41844164
Just adding a final comment here for the sake of determining how to close the question. I don't think we can accurately pick any one particular comment unless the question's author first clarifies whether he's asking about Apache or IIS. If we need to close the question without that information, then I'd recommend an even split across all the comments, since there's value in each one.
1
 
LVL 64

Expert Comment

by:btan
ID: 41869836
As per advised by experts.
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question