SSL TLS options in Windows registry
-
I am posting a pic of some part of a Server 2012 CRM Dynamics server's registry.
You can see in this picture that TLS 1.2 is not listed in the Security Protocols section here. Yet when client computers connect i look at the certificate info from a browser
How is this happening? Is there somewhere else these connections are being defined as available for server to handshake with?
-
I would expect that the details are coming from IIS itself, rather than from Dynamics.
-
That list in the registry has nothing to do with Certificates in IIS.
Additionally, it only contains things disabled by default unless some other thing has modified it.
You are mixing things up. Why are you even looking in the registry?
-
@momurda said in SSL TLS options in Windows registry:
I am posting a pic of some part of a Server 2012 CRM Dynamics server's registry.
You can see in this picture that TLS 1.2 is not listed in the Security Protocols section here. Yet when client computers connect i look at the certificate info from a browser
How is this happening? Is there somewhere else these connections are being defined as available for server to handshake with?The cert is telling you that the client and the server has negotiated TLS 1.2 as the encryption method. You should use https://www.ssllabs.com/ssltest/ to test the other ciphers and encryption technologies. I use this one for non-public sites. https://testssl.sh/
-
@jaredbusch I was looking at how to turn things like ssl 2 and 3 off.
This got me in the registry where i noticed nothing for TLS.
-
What is the purpose of these registry entries? It seems to have nothing to do with SSL and TLS connections between client and server.
-
@momurda said in SSL TLS options in Windows registry:
What is the purpose of these registry entries? It seems to have nothing to do with SSL and TLS connections between client and server.
You are still talking about different things. Client and server in a Windows environment implies between the desktop and the server.
This has nothing whatsoever to do with IIS.
IIS has it's own settings for SSL.
-
Those registry settings modify what the Windows SChannel library is able to use. It's the back-end for how IIS does encryption (and basically every other Windows service).
Is a pretty good rundown of how it works. https://www.nartac.com/Products/IISCrypto is a free software that simplifies the process.
-
@jaredbusch said in SSL TLS options in Windows registry:
This has nothing whatsoever to do with IIS.
IIS has it's own settings for SSL.It kind of does. IIS uses Schannel to manage it's encryption, by modifying these settings you can actually restrict what ciphers and protocols IIS is able to use.
-
@coliver said in SSL TLS options in Windows registry:
Those registry settings modify what the Windows SChannel library is able to use. It's the back-end for how IIS does encryption (and basically every other Windows service).
Is a pretty good rundown of how it works. https://www.nartac.com/Products/IISCrypto is a free software that simplifies the process.
Correct, but by default this has no effect on IIS serving strong ciphers. they exist and will be used.
-
@jaredbusch said in SSL TLS options in Windows registry:
@coliver said in SSL TLS options in Windows registry:
Those registry settings modify what the Windows SChannel library is able to use. It's the back-end for how IIS does encryption (and basically every other Windows service).
Is a pretty good rundown of how it works. https://www.nartac.com/Products/IISCrypto is a free software that simplifies the process.
Correct, but by default this has no effect on IIS server strong ciphers. they exists and will be used.
But a client can negotiate for a weaker cipher. If you turn it off in the Schannel library then IIS can't respond to that request.
-
@coliver @JaredBusch This is what i was trying to get at.
This server doesnt have TLS support? It is fully up to date. I get many Schannel connection errors with CLSID and AppID numbers in the event viewer. I didnt think it had anything to do with IIS but IIS is the only thing this server does.
-
@momurda said in SSL TLS options in Windows registry:
@coliver @JaredBusch This is what i was trying to get at.
This server doesnt have TLS support? It is fully up to date. I get many Schannel connection errors with CLSID and AppID numbers in the event viewer. I didnt think it had anything to do with IIS but IIS is the only thing this server does.Oh, they don't have to be defined in the registry to be enabled on the server. TLS1.0-1.2 are enabled by default on everything Server 2008R2 and up. You could easily create the keys necessary to disable them.
We set this one up to disable TLS1.0.
-
Okay, now I am following what you are talking about.
Yes, disabling the ciphers that you do not want used. But be aware crap might break. For example, Exchange 2010 cannot have certain TLS and ciphers disabled that PCI scans will require. If you do, shit breaks. SO I drop HAProxy in front and it deals with the outside world.
@momurda By default almost all ciphers work on Server 2012 R2. You have to specifically add registry entries to disable ciphers. If there is no entry, the cipher will work. That is the default behavior.
The IISCrypto tool, that @coliver linked, is the best thing out there for the job.
-
If you're looking for a decent cipher list Mozilla maintains a few of them.
https://wiki.mozilla.org/Security/Server_Side_TLS
We've standardized on the Modern list unless we have a specific app that can't do it.
-
Yes, how did i not know about this tool before? Amazing software. I will be doing this tonight after hours. Going to first test on a rarely used webserver now.
-
@momurda said in SSL TLS options in Windows registry:
Yes, how did i not know about this tool before? Amazing software. I will be doing this tonight after hours. Going to first test on a rarely used webserver now.
I have been using for years, it is a great tool but as @JaredBusch it can break a lot of software.
