How do I limit SSL/TLS connections to at least 128-bit encryption?
When I'm ordering an SSL cert for my public web server, how can I be sure that the web server (IIS 6 in my case) will only allow SSL/TLS client connections supporting our corporate standard of at least 128-bits symmetric encryption.
I'm aware you can purchase an SSL cert that supports 128-bit, but during handshaking the client can possibly choose to downgrade the connection to, say, SSLv2 and run with 40-bit encryption.
How can I enforce the client must run 128-bits or better?
Enforcing 128-bit encryption keys via the check box is step 1 to enforcing strong SSL on your webserver, but without explicitly disabling weak encryption algorithms in the registry, clients can request to use less secure methods of encryption (while using keys that are 128-bits in length). Here is the KB for editing the registry http://support.microsoft.com/kb/245030.
However, I followed this, rescanned for vulnerabilities and found that I missed some so here is an article that better explains what to turn off: http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html. You will need to reboot after you are done for the changes to take effect.
There are specific registry keys you can apply to disable SSLv2 and any weak ciphers in IIS.
To disable SSLv2 apply these registry changes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
To disable weak ciphers, apply these registry changes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:0000000
Source - This page also lists how to disable SSLv2/Weak ciphers in Apache
To test the configuration, you can use OpenSSL, the THCSSLCheck tool, or the new SSL Labs project
You can enforce 128bit encryption in IIS by doing the following:
1.In IIS Manager, double-click the local computer, and then right-click the Web site, directory, or file that you want and click Properties.
2.On the Directory Security or File Security tab, under Secure Communications, click Edit.
3.In the Secure Communications box, select the Require secure channel (SSL) check box.
4.If 128-bit encryption is required, select the Require 128-bit Encryption check box.
5.Click OK.
Source