tags:

views:

3189

answers:

3
+3  Q: 

Using SSLv3 in IIS 6.0

I recently got a notification from a McAfee service (what used to be called HackerSafe) that my website is using SSLv2 and it should be using SSLv3. I don't know anything about the versions of SSL. My site is using IIS 6.0, is there a setting somewhere to turn on SSLv3 or do I need to install something to make this happen? Also, is there any drawbacks to only using SSLv3? Are there browsers that can only use v2?

+2  A: 

Microsoft has a KB article on disabling SSLv3, obviously it's in the same place as enabling it. http://support.microsoft.com/kb/187498/en-us

TravisO  2008-11-06 22:03:18
+2  A: 

The Microsoft KB Article referenced in TravisO's answer is helpful for general reference. I used the information from that article along with information gathered from ServerSniff.net's SSL analysis tool

Also, you can copy and paste the following snippet into a .reg file to quickly disable SSLv2 on a web farm:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

In regards to browser support for SSLv3, the following information should help (taken from the McAfee Scan Alert):

In Internet Explorer 7, the default HTTPS protocol settings are changed to disable the weaker SSLv2 protocol and to enable the stronger TLSv1 protocol. By default, IE7 users will only negotiate HTTPS connections using SSLv3 or TLSv1. Mozilla Firefox is expected to drop support for SSLv2 in its upcoming versions.

As almost all modern browsers support SSLv3, disabling support for the weaker SSL method should have minimal impact. The following browsers support SSLv3:

  • Internet Explorer 5.5 or higher (PC)
  • Internet Explorer 5.0 or higher (Mac)
  • Netscape 2.0 (Domestic) or higher (PC/Mac)
  • Firefox 0.8 or higher (PC/Mac/Linux)
  • Mozilla 1.7 or higher (PC/Mac/Linux)
  • Camino 0.8 or higher (Mac)
  • Safari 1.0 or higher (Mac)
  • Opera 1.7 or higher (PC/Mac)
  • Omniweb 3.0 or higher (Mac)
  • Konqueror 2.0 or higher (Linux)
Saul Dolgin  2008-11-13 22:54:52
A: 

If you are looking at fixing this you will probably also want the to fix weak ciphers since most scanners will complain about both. That is Microsoft KB245030. Generally any browser that supports SSLv3 will also support newer and stronger ciphers than the ones turned off by the scripts at that link.

Mark  2009-02-04 23:17:29

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security