Menu
I recently got a notification from a McAfee service (what used to be called HackerSafe) that my website is using SSLv2 and it should be using SSLv3. I don't know anything about the versions of SSL. My site is using IIS 6.0, is there a setting somewhere to turn on SSLv3 or do I need to install something to make this happen? Also, is there any drawbacks to only using SSLv3? Are there browsers that can only use v2?
527
As a user, you should disable SSLv3 in your browser now to secure yourself when visiting websites that still support SSLv3. By doing this, you will be sure your client won't attempt to establish a connection with SSLv3 and will use a more secure alternative.
In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value. In the Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0 and then, click OK. Restart your Windows server. You have successfully disabled the SSL v3 protocol.
Verify the status of SSLv3 using the following CLI command: show sslv3 . If the output indicates SSL setting is disabled , SSLv3 is disabled. No additional steps are required to disable SSLv3. If the output indicates SSL setting is enabled , SSLv3 is enabled.
SSLv3 and TLSv1 are not the same, however TLSv1 is based on SSLv3. This is a protocol which is backward compatible, and gives a way to determine which version to use according to the "handshake" that takes place between the client and the server.
The Microsoft KB Article referenced in TravisO's answer is helpful for general reference. I used the information from that article along with information gathered from ServerSniff.net's SSL analysis tool
Also, you can copy and paste the following snippet into a .reg file to quickly disable SSLv2 on a web farm:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
In regards to browser support for SSLv3, the following information should help (taken from the McAfee Scan Alert):
In Internet Explorer 7, the default HTTPS protocol settings are changed to disable the weaker SSLv2 protocol and to enable the stronger TLSv1 protocol. By default, IE7 users will only negotiate HTTPS connections using SSLv3 or TLSv1. Mozilla Firefox is expected to drop support for SSLv2 in its upcoming versions.
As almost all modern browsers support SSLv3, disabling support for the weaker SSL method should have minimal impact. The following browsers support SSLv3:
- Internet Explorer 5.5 or higher (PC)
- Internet Explorer 5.0 or higher (Mac)
- Netscape 2.0 (Domestic) or higher (PC/Mac)
- Firefox 0.8 or higher (PC/Mac/Linux)
- Mozilla 1.7 or higher (PC/Mac/Linux)
- Camino 0.8 or higher (Mac)
- Safari 1.0 or higher (Mac)
- Opera 1.7 or higher (PC/Mac)
- Omniweb 3.0 or higher (Mac)
- Konqueror 2.0 or higher (Linux)
178
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
