Need to Enable SHA384 on WIndows Server 2008R2

Euless_Tech
Euless_Tech used Ask the Experts™
on
We are trying to enable SHA384 for TLS1.2 on our Windows Server 2008R2. Our credit card merchant account provider is forcing us to it.
Any detailed steps about enabling the higher version would be appreciated!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Russ SuterSenior Software Developer

Commented:
Your merchant account provider is complying with PCI DSS 3.2 standards. However, the minimum requirement for compliance is TLS 1.1, not 1.2. You need to make sure the lower protocols (PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0) are disabled. Doing so requires a little registry work but it's not too bad. Here are a couple of articles on how to do it.

https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/
https://social.technet.microsoft.com/Forums/en-US/8753e562-1f55-4361-b31a-865792a9c53c/disable-tls-10-and-enable-only-tls-11-and-12-certificate-upgrade-renewal?forum=winserverDS

Author

Commented:
Thanks for responding Russ.
Regardless of whether PCI DSS 3.2 standards dictate it, our merchant account provider is requiring us to go to it.
The information above is good about enabling TLS 1.1 and 1.2, but I'm looking specifically for something to help enable SHA384.
Russ SuterSenior Software Developer

Commented:
OK, well first of all, your merchant provider is being unreasonable. I'd start shopping for a new one. TLS 1.1 is acceptable under PCI DSS 3.2. You might want to hold them to the fire and ask why they require TLS 1.2. Push back a bit (nicely). That being said, in what context are you requiring the SHA384 protocol? Is this for IIS, Certificate Authority, or something else?
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
IIS 7
Russ SuterSenior Software Developer

Commented:
OK then, you're talking about the actual SSL certificate? If that's the case then you'll need to get it re-issued by the certificate authority. They should be able to do this either at no charge or for a minimal fee unless they have some sort of tiered pricing which is one price for SHA256 and another for SHA384 or SHA512.

Author

Commented:
And unfortunately, we have a pretty intricate post/reply configuration set up with the vendor, so changing is not really an option at this time.
I found that the TLS 1.2 settings on the actual server needed to be modified to allow/disallow various connection scenarios.
This is the location for the powershell script I ran, which corrected everything -
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Author

Commented:
No one was able to answer my question. I found the solution on the site mentioned on my last comment.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial