0

I have searched all over and can't seem to find an answer.

I am attempting to disable SSL 3.0 and enable TLS 1.1 and TLS 1.2 on my Windows 2008 R2 server using IIS 7.5.

I have made all the registry changes necessary and have rebooted the server multiple times, but ssllabs.com is still reporting SSL3 on with TLS1.1 and TLS1.2 off.

I also used IISCrypto to apply the keys with the same results after reboot.

I have done this on all our other servers with success, but this server will not take the changes.

Any ideas?

Thanks, James O.

James O
  • 11
  • 2
  • Can you provide the output of: `nmap --script ssl-enum-ciphers -p 443 hostname` . You can download nmap here: https://nmap.org/dist/nmap-7.12-win32.zip – Greg Askew Sep 08 '16 at 15:26
  • Your suggestion showed me what the problem is. This is a Citrix Secure Gateway. IIS is listening on port 444 whereas the Secure Gateway is listening on port 443. When I run your command on port 443, I see SSL3 on, but when I run it on port 444, SSL3 is off and TLS1.1 and 1.2 are on. I guess I need to make some changes in the Citrix software. – James O Sep 08 '16 at 17:07

2 Answers2

1

Is your site behind a load balancer such that the public facing URL isn't directly going to your IIS box(es)? If so, you need to make those changes on the load balancer.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • There is no load balancer. Traffic goes directly to IIS on the server. – James O Sep 08 '16 at 14:34
  • I was wrong. Apparently traffic is redirected to the Citrix Secure Gateway installed on this server and then to IIS. See answer below for solution. – James O Sep 08 '16 at 17:15
1

Thanks Greg and Ryan. Your comments made me realize that IIS is not handling incoming traffic directly. I did not take into consideration that the Citrix Secure Gateway was running on this server.

After following the instructions at http://support.citrix.com/article/CTX201762, SSL3 is now disabled.

Unfortunately, the Secure Gateway does not support TLS 1.1 or TLS 1.2 though.

Thanks, James O.

James O
  • 11
  • 2