cjhaas.com Basically a place that Chris can post solutions to problems so he can easily find them later

December 30, 2010

How to disable legacy/unsafe SSL algorithms in Microsoft IIS

Filed under: Uncategorized — Tags: , , — Chris Haas @ 12:52 pm

One of our servers was recently audited for a certain certification and unfortunately we failed the initial test. For the most part we’re running a basic install of IIS on a Windows Server 2003 R2 Standard x64. To pass the test we had to disable the older algorithms for the SSL/TLS protocol as well as the older SSL 2.0 protocol. Disabling SSLv2 was easy but it was a little hard to read the individual algorithms that we needed to disable to compare to our report from our audit company. So below are keys that we disabled in the Ciphers key:

  • DES 56/56
  • NULL
  • RC2 40/128
  • RC4 40/128

Below is a registry snapshot that you should be able to import to do it for you. (Standard rules such as “this worked for me but it might not work for you” and “messing with the registry is dangerous so make sure you back it up first” obviously apply).

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersDES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersNULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 40/128]
"Enabled"=dword:00000000

After making these changes restart iis and then you should test to make sure that you’re okay. To test IIS, first install OpenSSL on the machine that you want to test from. NOTE, this doesn’t have to be the server itself (and I don’t recommend it), it can be any machine that can access your server. I installed this on my workstation. Once installed make sure that you can run “openssl.exe” from the command line. If not, you’ll need to adjust your PATH environmental variable. For me the OpenSSL binary was installed to “C:Program FilesGnuWin32bin“.

In the command lines below substitute 192.168.1.1 with your server’s IP and 443 with your server’s SSL port (if for some crazy reason you changed it.)

The first step is to make sure that SSL 2.0 is disabled:

openssl s_client -connect 192.168.1.1:443 -ssl2

If you get an error about “handshake failure” then SSLv2 has been disabled. If you get a long message that includes a certificate then its still running. (Note, the registry keys above were for ciphers only, not SSLv2). To see what a successful message looks like run the same command above but change ssl2 to ssl3:

openssl s_client -connect 192.168.1.1:443 -ssl3

The next step is to test the individual ciphers:

openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher EDH-RSA-DES-CBC3-SHA

That last part needed to be tested with the following 9 ciphers:

  • DHE-RSA-AES128-SHA
  • DHE-RSA-AES256-SHA
  • DES-CBC-MD5
  • DES-CBC-SHA
  • AES256-SHA
  • EXP-RC2-CBC-MD5
  • EXP-RC4-MD5
  • EDH-RSA-DES-CBC-SHA
  • EDH-RSA-DES-CBC3-SHA
openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher DHE-RSA-AES128-SHA
openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher DHE-RSA-AES256-SHA
openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher DES-CBC-MD5
openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher DES-CBC-SHA
openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher AES256-SHA
openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher EXP-RC2-CBC-MD5
openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher EXP-RC4-MD5
openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher EDH-RSA-DES-CBC-SHA
openssl s_client -connect 192.168.1.1:443 -ssl3 -cipher EDH-RSA-DES-CBC3-SHA

Assuming all of these fail with a handshake failure (and assuming I remembered all of the ones I tested) you should be set.

April 23, 2010

Unrecognized attribute ‘targetFramework’

Filed under: Uncategorized — Tags: , , , — Chris Haas @ 3:28 pm

I just installed the 4.0 framework on two servers and then had VS 2010 upgrade a test site from 3.5 to 4.0. When I tried accessing the site in my browser I got the error message Unrecognized attribute 'targetFramework'. The solution appears to be simple, just right-click the site in IIS, switch to the ASP.Net tab and change the framework to the 4.0 framework. Unfortunately for me our servers are 64-bit but are running IIS in 32-bit compatibility mode (Enable32bitAppOnWin64) because of some 3rd-party COM components. And because of this the ASP.Net tab apparently doesn’t show up in IIS. (And in fact the 32-bit version of AspNetMmcExt.tlb which controls that tab doesn’t even get installed which makes a little sense I guess.)

So without the ASP.Net tab how do you set the site’s framework version? Pretty easily, luckily.

First you need to find out your site’s IIS ID. Launch IIS Manager, click on Web Sites and look for your site’s Identifier in the right-hand panel. In my case its “1966841543″.

Next, drop to a command-line and navigate to the directory of the framework version that you want to use, in my case C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319

Finally, run the following command substituting your site’s ID as needed:
aspnet_regiis.exe -s W3SVC/1966841543/ROOT

In my case I was only testing a sub-site so I actually ran:
aspnet_regiis.exe -s W3SVC/1966841543/ROOT/V2

Powered by WordPress