how to fix issue: SSL Medium strength cipher suites supported

I get a weekly Nessus scan and I have an issue of that reads:  SSL Medium strength cipher suites supported.  Can someone give me specific steps to correct this?  It is a windows 2008 R2 server.  I've found tons of articles, but can't find specific steps.  In regedit I don't have anything under Cipher suites.  Under ciphers I have 3 RC4 records:  128/128, 40/128/ 56/128.  All of them have a dword of Enabled with a value of 0...  I think that was the proper fix for this issue.  

I have several items under Protocols (2 SSL and2 TLS) and all have Disabled by Default with a value of 1 and Enabled with a value of 0.

From what I've read these are the proper settings??
cindyfillerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Try IISCRYPTO tool. Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5, as well as Enable TLS 1.1 and 1.2
https://www.nartac.com/Products/IISCrypto
Restart the machine after the setting.
1
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
https://www.ssllabs.com/ssltest provides a thorough tester tool also.

If you post your actual URL, likely someone can test it + find the exact problem + pass along a fix for you.
0
cindyfillerAuthor Commented:
I did use IIScrypto to make the changes, but am getting the same error that I originally got.  I also used the ssllabs site to test the website.  It provides great info, but doesn't tell me how to fix the issue.

Any other thoughts?
0
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

btanExec ConsultantCommented:
Disable DES and 3DES too and restart. For the SSLTEST, can you share the flagged issues found too.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cindyfillerAuthor Commented:
BTW, after running the IIScrypto the ssllbas test rated the site with an A (instead of a B).  I find it odd that the Nessus scans are still coming up with the same error.  But I believe I know what to change manually that will fix this.  I'll restart the servers tonight and will be able to verify if all issues have been resolved this weekend.

Thanks for the continued input.
0
cindyfillerAuthor Commented:
This issue took a combination of both suggestions.  IIScrypto added more of the ciphers, but I had to manually go back and disable the AES and Triple Des ciphers before the entire problem was resolved.  One without the other didn't work (for example if I didn't have the Triple Des ciphers I still had the error... it was only once I had that plus disabled it that the error went away.  

Thanks to both of you.
0
btanExec ConsultantCommented:
Thanks for sharing but syrange thatvyou mentioned disabling AES. Is it the shorter key legth version of AES that you disabled, e.g. 128 length. Thought it would not matter though to the error.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.