A colleague of mine showed me Nartac Software IIS Crypto. For some time I was using a ready-made REG file to implement these changes. Most of them rely on the registry adjustments – you simply have to add some keys to the registry and remove or disable the ones which are responsible for old SSL versions. There are also tutorials on how to disable old SSL 2 and SSL 3 in IIS. There are several ways on how to enable TLS 1.2 or TLS 1.3 in IIS. Take a look at how many issues were found – old protocol versions enabled, new ones not available… The list of issues is long and looks like there is a lot of work to do. Here is the sample result from the server that is configured properly:Īnd, to the contrary, here is the server that should be updated immediatelly: Please note that you can test your own website, but you can also test the server you have problems with. My personal favorite is Qualys Labs SSL Server Test. No matter what version of the webserver you are using, you should check your SSL health from time to time. Also, if the recent TLS is not supported, most likely there is still an old SSL 3 or even SSL 2 enabled, which is bad too.
OK, you can tell Firefox to enable the older TLS versions, but will you ask all your users to do so? This is not the way to go. What are the symptoms of the issue? For instance, in Firefox you can see the following message: Secure Connection Failed – SSL_ERROR_UNSUPPORTED_VERSION Some of our clients who are hosting their websites on-premises noticed that they also have something to do with their IIS configuration. It is a good move and this also forces hosting providers to keep their infrastructure up to date. It looks like Firefox and Chrome started to force the usage of TLS version 1.2.
0 kommentar(er)
