nav2567
asked on
SSL version question.
Hello,
The vendor who does our security audit express concern about SSL certificate we are using on our websites. They mention version 3 and TLS v1 are not secured.
I check the version of the cert we purchase is SHA-2.
I usually purchase the latest version cert and apply it to my IIS website. Are there additional things I need to do?
Please advise.
Thanks.
The vendor who does our security audit express concern about SSL certificate we are using on our websites. They mention version 3 and TLS v1 are not secured.
I check the version of the cert we purchase is SHA-2.
I usually purchase the latest version cert and apply it to my IIS website. Are there additional things I need to do?
Please advise.
Thanks.
ASKER
Thank you so much. I see some of our sites have TLS 1.0 and SSL 3 enabled. How do I disable them?
Use IIS Crypto, which I provided the link to in my last comment. You should be able to disable SSL, as well as TLS 1.0, but also make sure TLS 1.2 is enabled. Your choice in terms of TLS 1.1, but do proper testing.
Be sure to teat the sites after you make your changes.
Be sure to teat the sites after you make your changes.
ASKER
Let me clarify. Do you mean I can disable SSL and TLS 1.0 using IIS Crypto? If yes, would you instruct how again?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you again. I have a IIS server that has multiple sites. Most of the sites have TLS 1.1 and 1.2 enabled only but are 2 sites which are not.
Can I use the tool to disable TLS 1.0 for just a particular site?
Can I use the tool to disable TLS 1.0 for just a particular site?
ASKER
I am referring to this link https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1.0,-ssl-2.0,-ssl-3.0,-or-tls-1.0-in-internet-information-services and check the registry of the server which has a website with TLS 1.0 and SSL 3 enabled.
I do not see any SSL 3 or TLS 1.0 in the PROTOCOLS subkey.
protocols.png
I do not see any SSL 3 or TLS 1.0 in the PROTOCOLS subkey.
protocols.png
I figured as much... IIS Crypto saves you from having to use the regisry editor
If your website is Internet accessible, I suggest that you run against it with ssltest online check. It provides a good list of area to improve. This can help in overall collective assessment on the weakness https://www.ssllabs.com/ssltest/
ASKER
I have tried IIS Crypto to disable SSL3 and TLS 1.0 and I am not able to access the website anymore.
This is the error:
Microsoft OLD DB provider for SQL server error '80004005'
[DBNETLIB][ConnectionOpen (SECCreateCredentials()).] SSL Security error.
/dbopen.asp, line 4
This is the error:
Microsoft OLD DB provider for SQL server error '80004005'
[DBNETLIB][ConnectionOpen (SECCreateCredentials()).]
/dbopen.asp, line 4
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The SQL server we are using is SQL 2008 R2.
I am able to launch a website which is hosted on another IIS server that connects to the same DB server and this IIS has TLS 1.0 and SSL 3 disabled
I am able to launch a website which is hosted on another IIS server that connects to the same DB server and this IIS has TLS 1.0 and SSL 3 disabled
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For author advice.
no further inputs from author.
You can use a tool like IIS Crypto to help you.