locked
TLS 1.1 or 1.2 on IIS6 / Win2003? RRS feed

  • Question

  • User-293013689 posted
    Please can someone tell me if it's possible (and how) to get TLS1.2 running on IIS6 / Win 2003? Many thanks Matt
    Thursday, May 31, 2012 8:27 AM

Answers

  • User-322036075 posted

    IIS 7.5 (Windows 7 and Windows server 2008 R2) are the only web servers on MS platforms which supports TLS 1.1 and TLS 1.2.

    You will need to upgrade.

    Here is a good read done last year on the compatibility amongst MS platforms and different browsers.

    http://www.g-sec.lu/sslharden/SSL_comp_report2011.pdf

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, May 31, 2012 9:02 AM
  • User-2064283741 posted

    I always understood this vulnerability was to do with the ciphers involved. If you do not have the ciphers then it invalid.

    And if you have other ciphers before it then it uses them first so it is invalid for all sensible purposes.

    http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

    Use this tool to move around the ciphers rather than messing with the registry directly.

    https://www.nartac.com/Products/IISCrypto/Default.aspx

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, May 31, 2012 11:13 AM

All replies

  • User-322036075 posted

    IIS 7.5 (Windows 7 and Windows server 2008 R2) are the only web servers on MS platforms which supports TLS 1.1 and TLS 1.2.

    You will need to upgrade.

    Here is a good read done last year on the compatibility amongst MS platforms and different browsers.

    http://www.g-sec.lu/sslharden/SSL_comp_report2011.pdf

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, May 31, 2012 9:02 AM
  • User-293013689 posted
    thanks for the reply. I'm basically trying to work out now how on earth I can get my PCI testing passed because of this SSL3/TLS1.0 BEAST vulnerability? It's the only thing I can't seem to fix. Have you any idea? I can't upgrade my OS and everything on it, it's a live web server for a start and I don't have the funds for all the upgrades. Thanks Matt
    Thursday, May 31, 2012 9:23 AM
  • User-293013689 posted
    ----Duplicate, sorry. Didn't realise my posts had to wait for moderating
    Thursday, May 31, 2012 9:52 AM
  • User-322036075 posted

    There appears to have been a patch to mitigate this.

    http://technet.microsoft.com/en-us/security/bulletin/ms12-006

    It should be available in MS critical updates

    Thursday, May 31, 2012 10:09 AM
  • User-293013689 posted
    Yea it's already installed but PCI scan still fails, says it's using TLS1.0 and DES i think. I think I've worked it out though... temporarily disabled DES in the registry leaving only RC4. Re-run the scan which will pass I hope. Then re-enable it after haha :-D Thanks very much for your help Matt
    Thursday, May 31, 2012 10:19 AM
  • User-2064283741 posted

    I always understood this vulnerability was to do with the ciphers involved. If you do not have the ciphers then it invalid.

    And if you have other ciphers before it then it uses them first so it is invalid for all sensible purposes.

    http://blogs.msdn.com/b/kaushal/archive/2011/10/03/taming-the-beast-browser-exploit-against-ssl-tls.aspx

    Use this tool to move around the ciphers rather than messing with the registry directly.

    https://www.nartac.com/Products/IISCrypto/Default.aspx

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, May 31, 2012 11:13 AM
  • User-293013689 posted
    Wow thanks! Exactly what I needed - a way of prioritising ciphers in IIS6 (i thought it was impossible). Cheers very much indeed! Matt
    Thursday, May 31, 2012 1:00 PM