Allowing SSL3 and only SSL3

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi all, I recently installed a v3 verisign certificate on my windows 2000
Server. I am attempting to limit connections to my website strictly to SSL3
128 bit encryption. The SSL3 connection does work, however if I test by
either lowering my internet options in IE to disable SSL3 and only enable
SSL2, or test with OpenSSL, I can still successfully make an SSL2 connection.

I'd like to protect my end users. Can I set the server to only make SSL3
connections?

Thanks!
 
I have not tried this myself but see the link below to the KB article that
may be of help on how to disable such protocols. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;187498

Microsoft Windows NT Server stores information about different
security-enhanced channel protocols that Windows NT Server supports. This
information is stored in the following registry key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Protocols

Typically, this key contains the following subkeys: . PCT 1.0
. SSL 2.0
. SSL 3.0
. TLS 1.0
Each key holds information about the protocol for the key. Any one of these
protocols can be disabled at the server. To do this, you create a new DWORD
value in the server subkey of the protocol. You set the DWORD value to "00
00 00 00."

Note By default, PCT is not enabled on Microsoft Windows Server 2003.
 
I've followed the registry update here:
http://support.microsoft.com/?kbid=245030

Could someone help me out with testing?

Here's what I've done:

Test 1

Tools > Internet Options > Advanced
-Check "Use SSL 2.0"
-Uncheck "Use SSL 3.0"
-Uncheck "Use TLS 1.0"

When I connect I get an v3 sha1RSA connection (this is SSL3 correct?)

Test 2

openssl s_client -server:443 -ssl2
....
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
....
GET ...css
(this returns my css page under an SSLv2 connection i've tried to disable)

Any help is appreciated
 
Back
Top