What version of SSL does IIS 7 use by default, and how does one force it to use SSL v3? | ansaurus

tags:

iis7
ssl

views:

1073

answers:

1

Q:

What version of SSL does IIS 7 use by default, and how does one force it to use SSL v3?

I have heard that SSL v2 is a lot less secure than SSL v3 due to flaws in the encryption algorithms it uses. I would like to force my websites running on IIS 7 to use SSL v3. Anyone know how this is done?

Also is it worth forcing 128-bit encryption as well? Has anyone had any performance issues with doing this?

+2 A:

IIS 7 supports at least SSL 3.0, TLS 1.0 and higher.

In SSL/TLS, the version used for each connection is negotiated. The client sends a 'hello' message first which indicates the highest level of the protocol he supports. The server responds with his own 'hello', indicating the highest level he supports that's not higher than the client. In this way, the connection is made using the highest level of support in common between the client and server.

It's unlikely that modern clients would actually request SSL 2.0 (but sometimes they will request later versions with an SSLv2-compatible hello format).

In any case, this article describes how to disable older protocols in IIS 7:

http://support.microsoft.com/?id=187498

Marsh Ray 2009-11-20 15:45:02

Thanks, that was very helpful. After disabling the older protocols, do you have a suggested tool to verify that SSL 3 is indeed being used (e.g. could you use a packet sniffer, or is there a better tool?)

Teevus 2009-11-23 23:57:30

Wireshark is what I would use. Look at the version field in the 'Server Hello' message, don't be alarmed is you see a SSLv2-compatible Client Hello.

Marsh Ray 2009-11-24 18:19:43

related questions

Why is access denied when installing SSL cert on IIS 5?

What does a PHP developer need to know about https / secure socket layer connections?

Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?

Coding Dojo with IE and SSL

Enforce SSL in code in an ashx handler

How to connect to PostgreSQL from .NET using TLS with both client and server authentication?

HELP SSL GURUs!!! ... Problems with SSL Connection

What's a clean/simple way to ensure the security of a page?

How to specify accepted certificates for Client Authentication in .NET SslStream

SharePoint stream file for preview

Problem with Oracle Application Server SSL Certificates

Is there a limit with the number of SSL connections?

Testing HTTPS files with MAMP

Cheapest SSL certificates

Limiting traffic to SSL version of page only

How do I support SSL Client Certificate authentication?

Why can't I connect to my CAS server with Perl's AuthCAS?

Is there a way to make Firefox ignore invalid ssl-certificates?

How do I create a self signed SSL certificate to use while testing a web app.

Can a proxy server cache SSL GETs? If not, would response body encryption suffice?

HTTPS in IIS 5.1

How do you redirect HTTPS to HTTP?

Debugging: IE6 + SSL + AJAX + post form = 404 error

How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS

Options for Google Maps over SSL