Using SSLv3 in IIS 6.0

Question

I recently got a notification from a McAfee service (what used to be called HackerSafe) that my website is using SSLv2 and it should be using SSLv3. I don't know anything about the versions of SSL. My site is using IIS 6.0, is there a setting somewhere to turn on SSLv3 or do I need to install something to make this happen? Also, is there any drawbacks to only using SSLv3? Are there browsers that can only use v2?

Answer 1

The Microsoft KB Article referenced in TravisO's answer is helpful for general reference. I used the information from that article along with information gathered from ServerSniff.net's SSL analysis tool

Also, you can copy and paste the following snippet into a .reg file to quickly disable SSLv2 on a web farm:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

In regards to browser support for SSLv3, the following information should help (taken from the McAfee Scan Alert):

In Internet Explorer 7, the default HTTPS protocol settings are changed to disable the weaker SSLv2 protocol and to enable the stronger TLSv1 protocol. By default, IE7 users will only negotiate HTTPS connections using SSLv3 or TLSv1. Mozilla Firefox is expected to drop support for SSLv2 in its upcoming versions.

As almost all modern browsers support SSLv3, disabling support for the weaker SSL method should have minimal impact. The following browsers support SSLv3:

• Internet Explorer 5.5 or higher (PC)
• Internet Explorer 5.0 or higher (Mac)
• Netscape 2.0 (Domestic) or higher (PC/Mac)
• Firefox 0.8 or higher (PC/Mac/Linux)
• Mozilla 1.7 or higher (PC/Mac/Linux)
• Camino 0.8 or higher (Mac)
• Safari 1.0 or higher (Mac)
• Opera 1.7 or higher (PC/Mac)
• Omniweb 3.0 or higher (Mac)
• Konqueror 2.0 or higher (Linux)