Force TLS
in [IIS]
|
From: Smokey Grindel on 29 Sep 2009 22:28 Is there anyway to force TLS 1.0 instead of SSL 3 as the security scheme? We are trying to bring our systems up to "government" specifications which requires SSL 3.1 (aka TLS 1.0) and not SSL3 to be used... any guidance on how to meat this standard? thanks! __________ Information from ESET NOD32 Antivirus, version of virus signature database 4468 (20090929) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
From: .._.. on 30 Sep 2009 10:29 In IIS 6 it takes a registry hack. In my experience, that method only works some of the time, or at least the tools used to detect the security level don't understand the change and report it as too low anyway. If SSL 3 is available and the client isn't set to use it; what are the possible outcomes? Security is used at a lower level, or not at all. Some brain dead auditors will still yammer about it, but those folk are not too bright. Someone using older tools probably HAS to, and you deny service to them completely if you force it one way or the other. (Note, this applies to publicly accessible sites or wide-spread account-based sites, if you are running a site for a small list of people, use SSH instead.) "Smokey Grindel" <nospam(a)vospect.com> wrote in message news:09190FE9-51A4-4581-82F8-00402D760F63(a)microsoft.com... > Is there anyway to force TLS 1.0 instead of SSL 3 as the security scheme? > We are trying to bring our systems up to "government" specifications which > requires SSL 3.1 (aka TLS 1.0) and not SSL3 to be used... any guidance on > how to meat this standard? thanks! > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4468 (20090929) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > >
From: Kocureq on 30 Sep 2009 13:01 Smokey Grindel pisze: > Is there anyway to force TLS 1.0 instead of SSL 3 as the security > scheme? We are trying to bring our systems up to "government" > specifications which requires SSL 3.1 (aka TLS 1.0) and not SSL3 to be > used... any guidance on how to meat this standard? thanks! If you're ready to reject all clients supporting SSL 3 but not TLS, then just disable SSL 3 (and lower) and enable TLS in the registry: http://support.microsoft.com/kb/187498 -- /\ /\ [ Jakub 'Kocureq' Anderwald ] /\ /\ =^;^= [ [nick][at][nick].com ] =^;^= / | [ GG# 1365999 ICQ# 31547220 ] | \ (___(|_|_| [ kocureq(a)jabber.org ] |_|_|)___)
|
Pages: 1 Prev: How to Sql 2008 Reporting Services Next: IIS6 and HTTP.sys IP listen list problem |