SSL Server test

Kishore M
Kishore M used Ask the Experts™
on
HI All,
I am using Windows server 2012 R2 standard and hosted for the Gateway server. I ran IIS crypto as well , but still overall rating as " B " only.

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128


Can any one help on this.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Patrick BogersDatacenter platform engineer Lindows

Commented:
Hi

can you printscreen the iiscrypto settings?

Cheers
Hi , attached the Cipher suites & SChannel settings from IIS crypto.
Cipher-settings1.JPG
Cipher-settings2.JPG
SChannel-settings.JPG
Patrick BogersDatacenter platform engineer Lindows
Commented:
Hi

I would disable tls-dhe ciphers and in schannel unselect tls1 and 1.1, sha and diffie helman.
That should bring a A rating.

Cheers
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Hi , I have tried the same steps unselect all tls-dhe ciphers in Cipher suites and in schannel unselect tls1 and 1.1, sha and diffie helman.

Still no luck , I am getting B grade only.
 
I am using Windows 2012 R2 standard Operating system.

Signature algorithm is SHA256withRSA


TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128
Patrick BogersDatacenter platform engineer Lindows

Commented:
After the changes, did you reboot the server?

Author

Commented:
Rebooted the server as well..
btanExec Consultant
Distinguished Expert 2018
Commented:
Do check out this site ("Guide to Deploying Diffie-Hellman for TLS") for admin as it is pertaining to past weak cipher for DH discovered. https://weakdh.org/sysadmin.html

Disable Diffie-Hellman under Key Exchanges Enabled
1. Use IISCrypto to apply the “Best Practices” Template 2. Disable TLS 1.0 (Assuming SQL is not on the server or these updates have been applied and RDS/RDWeb is not deployed)
3. Disable MD5 under Hashes enabled
4. Disable Diffie-Hellman under Key Exchanges Enabled
5. Apply and reboot
http://robwillis.info/2015/10/hardening-ssl-tls-connections-on-windows-server-2008-r2-2012-r2/

Author

Commented:
Hi, you have given a best solution , but not sure IIS Crypto settings are not making any changes.so still getting B grade only.
btanExec Consultant
Distinguished Expert 2018

Commented:
It may be some apps but if after rebooting the machine and the DH 1024 or TLS 1.0/1 still exist from reading from iiscrypto then A may not be achievable. Maybe useful if you can share the finding so that we understand the B is due to what reason based on the online findings it stated
btanExec Consultant
Distinguished Expert 2018

Commented:
Pls kind advice any further queries. thanks

Author

Commented:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK  256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK  128

Facing issue with these two above keys.. Can you please help me out.
Exec Consultant
Distinguished Expert 2018
Commented:
if you can't use 2048-bit (or larger) DH parameters (and generate new parameters on a regular basis), you should probably disable DHE.

the grade should be capped to B unless they support ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and prioritize it over any CBC suites or only support suites that use ECDHE_ECDSA with an AEAD cipher.

Author

Commented:
Hi All,

Thanks for the support,  below suggestion is helped to resolve the issue.

Disconnect nic cable, reboot, login as local administrator CHECK RSOP and run iiscrypto.
btanExec Consultant
Distinguished Expert 2018

Commented:
Thanks for sharing and you may proceed to close the question if there are no further queries
btanExec Consultant
Distinguished Expert 2018

Commented:
As per advice given

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial