ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    SSL TLS options in Windows registry

    IT Discussion
    5
    17
    1004
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • momurda
      momurda last edited by

      I am posting a pic of some part of a Server 2012 CRM Dynamics server's registry.
      0_1522881925186_7521f0b3-cefe-468a-941c-13218deeb6f2-image.png
      You can see in this picture that TLS 1.2 is not listed in the Security Protocols section here. Yet when client computers connect i look at the certificate info from a browser
      0_1522882062804_85836e04-51d1-41dc-93a0-019841e963bc-image.png
      How is this happening? Is there somewhere else these connections are being defined as available for server to handshake with?

      coliver 1 Reply Last reply Reply Quote 1
      • Reid Cooper
        Reid Cooper last edited by

        I would expect that the details are coming from IIS itself, rather than from Dynamics.

        1 Reply Last reply Reply Quote 0
        • JaredBusch
          JaredBusch last edited by

          That list in the registry has nothing to do with Certificates in IIS.

          Additionally, it only contains things disabled by default unless some other thing has modified it.

          You are mixing things up. Why are you even looking in the registry?

          momurda 1 Reply Last reply Reply Quote 0
          • coliver
            coliver @momurda last edited by coliver

            @momurda said in SSL TLS options in Windows registry:

            I am posting a pic of some part of a Server 2012 CRM Dynamics server's registry.
            0_1522881925186_7521f0b3-cefe-468a-941c-13218deeb6f2-image.png
            You can see in this picture that TLS 1.2 is not listed in the Security Protocols section here. Yet when client computers connect i look at the certificate info from a browser
            0_1522882062804_85836e04-51d1-41dc-93a0-019841e963bc-image.png
            How is this happening? Is there somewhere else these connections are being defined as available for server to handshake with?

            The cert is telling you that the client and the server has negotiated TLS 1.2 as the encryption method. You should use https://www.ssllabs.com/ssltest/ to test the other ciphers and encryption technologies. I use this one for non-public sites. https://testssl.sh/

            1 Reply Last reply Reply Quote 1
            • momurda
              momurda @JaredBusch last edited by

              @jaredbusch I was looking at how to turn things like ssl 2 and 3 off.
              This got me in the registry where i noticed nothing for TLS.

              1 Reply Last reply Reply Quote 0
              • momurda
                momurda last edited by

                What is the purpose of these registry entries? It seems to have nothing to do with SSL and TLS connections between client and server.

                JaredBusch 1 Reply Last reply Reply Quote 0
                • JaredBusch
                  JaredBusch @momurda last edited by JaredBusch

                  @momurda said in SSL TLS options in Windows registry:

                  What is the purpose of these registry entries? It seems to have nothing to do with SSL and TLS connections between client and server.

                  You are still talking about different things. Client and server in a Windows environment implies between the desktop and the server.

                  This has nothing whatsoever to do with IIS.
                  IIS has it's own settings for SSL.

                  coliver 1 Reply Last reply Reply Quote 1
                  • coliver
                    coliver last edited by

                    Those registry settings modify what the Windows SChannel library is able to use. It's the back-end for how IIS does encryption (and basically every other Windows service).

                    https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

                    Is a pretty good rundown of how it works. https://www.nartac.com/Products/IISCrypto is a free software that simplifies the process.

                    JaredBusch 1 Reply Last reply Reply Quote 1
                    • coliver
                      coliver @JaredBusch last edited by

                      @jaredbusch said in SSL TLS options in Windows registry:

                      This has nothing whatsoever to do with IIS.
                      IIS has it's own settings for SSL.

                      It kind of does. IIS uses Schannel to manage it's encryption, by modifying these settings you can actually restrict what ciphers and protocols IIS is able to use.

                      1 Reply Last reply Reply Quote 0
                      • JaredBusch
                        JaredBusch @coliver last edited by JaredBusch

                        @coliver said in SSL TLS options in Windows registry:

                        Those registry settings modify what the Windows SChannel library is able to use. It's the back-end for how IIS does encryption (and basically every other Windows service).

                        https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

                        Is a pretty good rundown of how it works. https://www.nartac.com/Products/IISCrypto is a free software that simplifies the process.

                        Correct, but by default this has no effect on IIS serving strong ciphers. they exist and will be used.

                        coliver 1 Reply Last reply Reply Quote 0
                        • coliver
                          coliver @JaredBusch last edited by coliver

                          @jaredbusch said in SSL TLS options in Windows registry:

                          @coliver said in SSL TLS options in Windows registry:

                          Those registry settings modify what the Windows SChannel library is able to use. It's the back-end for how IIS does encryption (and basically every other Windows service).

                          https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

                          Is a pretty good rundown of how it works. https://www.nartac.com/Products/IISCrypto is a free software that simplifies the process.

                          Correct, but by default this has no effect on IIS server strong ciphers. they exists and will be used.

                          But a client can negotiate for a weaker cipher. If you turn it off in the Schannel library then IIS can't respond to that request.

                          1 Reply Last reply Reply Quote 0
                          • momurda
                            momurda last edited by

                            @coliver @JaredBusch This is what i was trying to get at.
                            This server doesnt have TLS support? It is fully up to date. I get many Schannel connection errors with CLSID and AppID numbers in the event viewer. I didnt think it had anything to do with IIS but IIS is the only thing this server does.

                            coliver 1 Reply Last reply Reply Quote 0
                            • coliver
                              coliver @momurda last edited by

                              @momurda said in SSL TLS options in Windows registry:

                              @coliver @JaredBusch This is what i was trying to get at.
                              This server doesnt have TLS support? It is fully up to date. I get many Schannel connection errors with CLSID and AppID numbers in the event viewer. I didnt think it had anything to do with IIS but IIS is the only thing this server does.

                              Oh, they don't have to be defined in the registry to be enabled on the server. TLS1.0-1.2 are enabled by default on everything Server 2008R2 and up. You could easily create the keys necessary to disable them.

                              0_1522944160818_7ebbc580-d3ec-45fd-81c3-804f9fd13c20-image.png

                              We set this one up to disable TLS1.0.

                              1 Reply Last reply Reply Quote 1
                              • JaredBusch
                                JaredBusch last edited by

                                Okay, now I am following what you are talking about.

                                Yes, disabling the ciphers that you do not want used. But be aware crap might break. For example, Exchange 2010 cannot have certain TLS and ciphers disabled that PCI scans will require. If you do, shit breaks. SO I drop HAProxy in front and it deals with the outside world.

                                @momurda By default almost all ciphers work on Server 2012 R2. You have to specifically add registry entries to disable ciphers. If there is no entry, the cipher will work. That is the default behavior.

                                The IISCrypto tool, that @coliver linked, is the best thing out there for the job.

                                1 Reply Last reply Reply Quote 3
                                • coliver
                                  coliver last edited by

                                  If you're looking for a decent cipher list Mozilla maintains a few of them.

                                  https://wiki.mozilla.org/Security/Server_Side_TLS

                                  We've standardized on the Modern list unless we have a specific app that can't do it.

                                  1 Reply Last reply Reply Quote 1
                                  • momurda
                                    momurda last edited by

                                    Yes, how did i not know about this tool before? Amazing software. I will be doing this tonight after hours. Going to first test on a rarely used webserver now.

                                    dbeato 1 Reply Last reply Reply Quote 0
                                    • dbeato
                                      dbeato @momurda last edited by

                                      @momurda said in SSL TLS options in Windows registry:

                                      Yes, how did i not know about this tool before? Amazing software. I will be doing this tonight after hours. Going to first test on a rarely used webserver now.

                                      I have been using for years, it is a great tool but as @JaredBusch it can break a lot of software.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post