Posts Tagged ‘SSLv2

12
Jan
10

No for SSLv2 connections and weak ciphers! (Windows)

It is very common to see the current HTTPS support SSLv2 connections and weak ciphers (<112bits key) due to backward compatibility. Well, you can’t stop ppl from using old pc (I really don’t mind you buy me a new one… lol)!

However, SSLv2 connection and weak cipher is a vulnerability to your system although it is generally hard to launch attack on it (heavy computing resource required and local access to network device may required).

In Windows, you can disable the following function of your SSL certificate in Windows registry as below:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    Create a key “Enabled” with value 0 (dword)

and

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    Create a key “Enabled” with value 0 (dword)

To disable support of weak cipher in your web server, you can change your Windows registry as below:

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    Create a key “Enabled” with value 0 (dword)
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
    Create a key “Enabled” with value 0 (dword)

After these, you need to RESTART your server for these registry to take effect. After these, you shall not see the vulnerabilities as below:

  • SSL Server Supports Weak Encryption
  • SSL Server Allows Cleartext Encryption
  • SSL Server May Be Forced to Use Weak Encryption
  • SSL Server Allows Anonymous Authentication

Reference:

PCI Compliance – Disable SSLv2 and Weak Ciphers