2

I am running a Windows 2008 server with IIS7. I need to use SSL 3.0 for PCI compliance but whenever I read up on using it, all the articles explain to disable SSL 2.0. If I do this, will IIS automatically use SSL 3.0 from that point on?

In the registry here [HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols] it only has a SSL 2.0 folder with a Client folder in it, is that correct? Shouldn't there be a SSL 3.0 folder?

CodesInChaos
  • 143
  • 7
webnoob
  • 465
  • 2
  • 16
  • 35

1 Answers1

4

Yes, disabling SSL 2.0 will ensure that IIS only uses SSL 3.0 or TLS 1.0. You can also disable individual cipher alogithms to ensure that SSL3/TLS only use the "best" alogrithms available well, although this is not really a practical issue if you select "require 128-bit encryption" from the GUI in the IIS SSL configuration. All of the >128-bit algorithms in SSL3 and TLS are "strong", have no practical breaks, and unless you have very specific regulatory requirements can be used safely.

See http://support.microsoft.com/kb/187498 for details.

rmalayter
  • 3,762
  • 20
  • 28
  • Thanks for that. Just for some more clarification; If I enable SSL 3.0 will it have any implications on SSL certificates already in place on some websites on the server? Also do I NEED to restart the server? – webnoob May 31 '11 at 13:13
  • 1
    No on the impact to existing certificates, but yes to the restart. Registry changes to the SChannel stuff don't take effect until a reboot. – Shane Madden May 31 '11 at 14:12