21

I believe I have disabled SSL 2.0 on my web server (Windows Server 2003). To make sure that it is now using SSL 3.0, how can I check this?

What is the correct way to disable 2.0 and enable 3.0 on a web server?

wahle509
  • 333
  • 1
  • 2
  • 8

6 Answers6

29

IIS will negotiate the SSL version to be used with the client and so should select the highest version that will work with that client. By disabling SSL v2 your are saying that any clients that cannot use V3 will not be able to make an SSL connection, is this what you want?

As far as checking that it is using V3, if you have access to a linux machine (or cygwin on Windows) with openssl installed, you can run this command:

openssl s_client -connect server.com:443 -ssl3

If you can connect, then it is working. Substitute ssl3 for ssl2 if you want to check SSL2.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • What I want is to disable 2.0, so clients are forced to use 3.0 or TLS 1.0. – wahle509 Jan 26 '10 at 17:59
  • 1
    Thats all very well, but if they client does not support 3.0 or TLS 1.0 then they will not be able to connect – Sam Cogan Jan 27 '10 at 08:49
  • I wouldn't worry too much about clients without SSL v3 / TLS 1.0 support being able to connect. These protocols have been supported in common web browsers since the mid-90's: http://stackoverflow.com/questions/881563/what-browsers-only-support-sslv2 – Andy Holt Sep 24 '12 at 09:43
4

Here is the official Microsoft documentation on how to disable a specific SSL protocol.

The openssl test is definitely the easiest. There are binary distributions of openssl available for Windows.

MattB
  • 11,194
  • 1
  • 30
  • 36
4

Run this command:

openssl.exe s_client -connect localhost:443

or

http://www.foundstone.com/us/resources/proddesc/ssldigger.htm

http://www.serversniff.net

golimar
  • 145
  • 2
  • 10
opexxx
  • 66
  • 3
  • How do you use "openssl.exe s_client -connect localhost:443". I don't think I have openssl.exe on the server. Also, I have installed the SSLDigger tool, but don't know how to use it. Any help? – wahle509 Jan 26 '10 at 17:39
  • 1
    wahle509: You can get openssl for windows from here http://www.slproweb.com/products/Win32OpenSSL.html – proy Jan 26 '10 at 19:15
4

The easiest way to verify that SSL 2.0 is disabled is to use http://www.serversniff.net/content.php?do=ssl or https://www.ssllabs.com/ssldb/index.html

Robert
  • 1,575
  • 7
  • 7
0

https://www.ssllabs.com/ssltest/index.htm In the result there is Configuration section in sub-section Protocols are listed all version and their support.

Ivan
  • 1
0

Updated info for 2017 tech

For viewing current protocol version only (not changing it)

Visit the HTTPS page in question and click the green lock icon in the address bar of your browser. From here you can click for more detailed information which includes the protocol version currently in use.

Edit Per Comment:
This won't allow you to find ALL available versions. If you are running the latest browser you are likely to only connect with the latest available TLS/SSL version. For a quick test to make sure that you have the latest version available, this is a very easy choice.

KnightHawk
  • 101
  • 3
  • 1
    That won't tell you if other, less secure protocols are available, though. A full test is important. – ceejayoz Jun 01 '17 at 15:43