Link to home
Start Free TrialLog in
Avatar of cindyfiller
cindyfillerFlag for United States of America

asked on

how to fix issue: SSL Medium strength cipher suites supported

I get a weekly Nessus scan and I have an issue of that reads:  SSL Medium strength cipher suites supported.  Can someone give me specific steps to correct this?  It is a windows 2008 R2 server.  I've found tons of articles, but can't find specific steps.  In regedit I don't have anything under Cipher suites.  Under ciphers I have 3 RC4 records:  128/128, 40/128/ 56/128.  All of them have a dword of Enabled with a value of 0...  I think that was the proper fix for this issue.  

I have several items under Protocols (2 SSL and2 TLS) and all have Disabled by Default with a value of 1 and Enabled with a value of 0.

From what I've read these are the proper settings??
SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of David Favor
David Favor
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cindyfiller
cindyfiller
Flag of United States of America image

ASKER

I did use IIScrypto to make the changes, but am getting the same error that I originally got.  I also used the ssllabs site to test the website.  It provides great info, but doesn't tell me how to fix the issue.

Any other thoughts?
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cindyfiller
cindyfiller
Flag of United States of America image

ASKER

BTW, after running the IIScrypto the ssllbas test rated the site with an A (instead of a B).  I find it odd that the Nessus scans are still coming up with the same error.  But I believe I know what to change manually that will fix this.  I'll restart the servers tonight and will be able to verify if all issues have been resolved this weekend.

Thanks for the continued input.
Avatar of cindyfiller
cindyfiller
Flag of United States of America image

ASKER

This issue took a combination of both suggestions.  IIScrypto added more of the ciphers, but I had to manually go back and disable the AES and Triple Des ciphers before the entire problem was resolved.  One without the other didn't work (for example if I didn't have the Triple Des ciphers I still had the error... it was only once I had that plus disabled it that the error went away.  

Thanks to both of you.
Avatar of btan
btan
Thanks for sharing but syrange thatvyou mentioned disabling AES. Is it the shorter key legth version of AES that you disabled, e.g. 128 length. Thought it would not matter though to the error.