Menu
I have heard that SSL v2 is a lot less secure than SSL v3 due to flaws in the encryption algorithms it uses. I would like to force my websites running on IIS 7 to use SSL v3. Anyone know how this is done?
Also is it worth forcing 128-bit encryption as well? Has anyone had any performance issues with doing this?
494
SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL) or “Transport Layer Security” (TLS).
IIS 7 supports at least SSL 3.0, TLS 1.0 and higher.
In SSL/TLS, the version used for each connection is negotiated. The client sends a 'hello' message first which indicates the highest level of the protocol he supports. The server responds with his own 'hello', indicating the highest level he supports that's not higher than the client. In this way, the connection is made using the highest level of support in common between the client and server.
It's unlikely that modern clients would actually request SSL 2.0 (but sometimes they will request later versions with an SSLv2-compatible hello format).
In any case, this article describes how to disable older protocols in IIS 7:
http://support.microsoft.com/kb/187498
61
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
