Ping a Specific Port

Question

tomfanning

Asked: 2010-06-05 01:22:14 +0800 CST2010-06-05 01:22:14 +0800 CST 2010-06-05 01:22:14 +0800 CST

Configuring IIS 7.5 to be FIPS 140.2 compliant

772

I need to configure IIS 7.5 (Server 2008 R2) to be FIPS 140.2 compliant.

Specifically, this involves disabling all SSL protocols other than TLS 1.0.

I have set the following registry keys:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server

to Enabled(DWORD) = 0 as per this KB, but SSL Labs' checker says "SSL 2.0+ Upgrade Support" is enabled. (Everything other than that and TLS 1.0 is not available, so we're getting somewhere). It also says "FIPS ready - no" - presumably because SSL 2.0+ Upgrade Support is still enabled.

serversniff.net says SSL 2.0 is turned off, and doesn't say anything about SSL 2.0+ Upgrade Support. Could this be an anomaly with SSL Labs' checker?

3 Answers

Voted

Calomel · Answer 1 · 2010-07-01T11:18:25+08:00

Best Answer

Calomel

2010-07-01T11:18:25+08:002010-07-01T11:18:25+08:00

It means that the server supports SSLv2 handshake, even though it may not support SSLv2 itself. Essentially it's an optimization. Instead of a client first requesting SSLv2 (with a SSLv2 handshake) and failing (if the server does not support it), then having to request SSLv3 or better (with a SSLv3 handshake), the client can use the SSLv2 handshake to indicate support for newer protocols.

http://sourceforge.net/mailarchive/forum.php?thread_name=20100629171623.43012oj4b2hgrzi8%40webmail.mxes.net&forum_name=ssllabs-discuss

2

Robert · Answer 2 · 2010-06-11T07:29:08+08:00

Robert

2010-06-11T07:29:08+08:002010-06-11T07:29:08+08:00

You can confirm that it is an issue with the SSL Labs Checker by changing the configuration in your browser to only accept SSL 2.0. If you can connect to your site, then SSL 2.0 is still enabled. Otherwise, it is disabled.

1

Greg Bray · Answer 3 · 2014-08-29T17:21:53+08:00

Greg Bray

2014-08-29T17:21:53+08:002014-08-29T17:21:53+08:00

A company called Nartac software makes a free IIS Crypto configuration tool that can be used to enable/disable protocols and cipher suites in IIS on Windows 2003, 2008 and 2012. It also comes with templates for configuring IIS to be FIPS 140.2 compliant, integrates with the Qualys SSL site analyzer for testing public urls, and has a list of other validation tools that can be used to validate internal sites.

0

Configuring IIS 7.5 to be FIPS 140.2 compliant

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?