klsphotos
asked on
How to fix "SSL Medium Strength Cipher Suites Supported" error
Hi Experts,
We have have this error in a Necus report on a 2016 virtual server:
"SSL Medium Strength Cipher Suites Supported"
I've gone here:
https://stackoverflow.com/questions/4886346/how-to-fix-ssl-medium-strength-cipher-suites-supported-in-iis-6-0
and to several other sites telling me to do almost the same thing.
The problem is, we do not have the path in any of these solutions in our registry. There is no schannel or Security Providers.
Is that the issue? :)
Please help, we have to resolve this error and get a clean report and I don't want to make any changes to the registry or add until I am sure that is what is needed for this.
Thank you,
Karen
We have have this error in a Necus report on a 2016 virtual server:
"SSL Medium Strength Cipher Suites Supported"
I've gone here:
https://stackoverflow.com/questions/4886346/how-to-fix-ssl-medium-strength-cipher-suites-supported-in-iis-6-0
and to several other sites telling me to do almost the same thing.
The problem is, we do not have the path in any of these solutions in our registry. There is no schannel or Security Providers.
Is that the issue? :)
Please help, we have to resolve this error and get a clean report and I don't want to make any changes to the registry or add until I am sure that is what is needed for this.
Thank you,
Karen
https://www.nartac.com/Products/IISCrypto/ has a good tool that will help you to remove weaker encryption cipher suites from Windows Server. It will add the appropriate registry keys and values as needed. In answer to your question, yes, you would need to add the keys and values manually if they aren't there.
I am assuming it is Nessus findings
- Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
iiscrypto is useful for Windows check and setting. Note these registry keys do not exist by default; you may have to create them.
Look at the port that vulnerability is appearing on; find out what program is listening on that port. There are often specific fixes (or no available fix) for specific programs. The registry key above will only resolve the issue if the impacted service is using the Windows SCHANNEL encryption libraries/settings.
If you are having Apache
https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
- Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
iiscrypto is useful for Windows check and setting. Note these registry keys do not exist by default; you may have to create them.
Look at the port that vulnerability is appearing on; find out what program is listening on that port. There are often specific fixes (or no available fix) for specific programs. The registry key above will only resolve the issue if the impacted service is using the Windows SCHANNEL encryption libraries/settings.
If you are having Apache
https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
ASKER
Hello thank you everyone from this and your responses. I tried the program suggested and while it works wonderfully on some of our servers, it's not compatible with this 2016 azure server so I am unable to use this program.
Any other suggestions?
Any other suggestions?
Can consider Powershell
Application gateway (Azure)
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-configure-ssl-policy-powershell
Script based
https://gist.github.com/sidshetye/29d6d48dfa0c2f5488a4
Application gateway (Azure)
https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-configure-ssl-policy-powershell
Script based
https://gist.github.com/sidshetye/29d6d48dfa0c2f5488a4
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.