Subject: How to disable SSL v2 support on IIS 6.0?

Excellent! We have pushed to several windows 2003 boxes with no issues.

--

Thank you,

Steve Schofield
Windows Server MVP - IIS
ASPInsider Member - MCP

http://www.orcsweb.com/
Managed Complex Hosting
#1 in Service and Support

"Ray Yan" <RayYan.RemoveThis@discussions.microsoft.com> wrote in message
news:504E205E-21BC-4401-826A-883E0DA8E05A@microsoft.com...
> That's what I'm looking for!!! Thank you very much, Steve!!!
>
> Ray
>
> "Steve Schofield" wrote:
>
>> These are the instructions to disable SSL 2.0
>>
>> http://support.microsoft.com/kb/187498
>>
>> --
>>
>> Thank you,
>>
>> Steve Schofield
>> Windows Server MVP - IIS
>> ASPInsider Member - MCP
>>
>> http://www.orcsweb.com/
>> Managed Complex Hosting
>> #1 in Service and Support
>>
>> "Ray Yan" <RayYan.RemoveThis@discussions.microsoft.com> wrote in message
>> news:41F01654-B51D-489C-8D84-E1E35AA770F1@microsoft.com...
>> > Hi there,
>> >
>> > We're running a website on a IIS6.0 / Windows2003 SP1 server, with a
>> > Thawte
>> > web server certificate installed to enable HTTPS access. Now we want to
>> > force
>> > client connections use SSL v3 or SLT 1.0 or SLT 1.1 or better, so we
>> > decided
>> > to stop supporting SSL v2 on this server. But we wonder what we have to
>> > do
>> > to
>> > achive this?
>> >
>> > Many thanks in advance!
>> >
>> > Ray
>> >
>>
>>
 >> Stay informed about: Subject: How to disable SSL v2 support on IIS 6.0? 

I actually disabled SSL v2 suppport. How could I validate this change? There is any tool to validate this?

Thanks.


EggHeadCafe.com - .NET Developer Portal of Choice
http://www.eggheadcafe.com
 >> Stay informed about: Subject: How to disable SSL v2 support on IIS 6.0? 

Juan wrote on Tue, 17 Apr 2007 09:14:49 -0700:

> I actually disabled SSL v2 suppport. How could I validate this change?
> There is any tool to validate this?

You could disable TLS and SSL3 in IE, leaving only SSL2 enabled, and then
try to connect - it will fail if SSL2 is disabled.

Dan
 >> Stay informed about: Subject: How to disable SSL v2 support on IIS 6.0? 

Juan Carlos A wrote:
> I actually disabled SSL v2 suppport. How could I validate this
> change? There is any tool to validate this?
>
> Thanks.
>
>
> EggHeadCafe.com - .NET Developer Portal of Choice
> http://www.eggheadcafe.com

http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10...bc-83d4
 >> Stay informed about: Subject: How to disable SSL v2 support on IIS 6.0? 

on a unix based box...
On a command line, type:

openssl s_client -connect TARGET_IP:PORT_NUMBER -ssl2

Where TARGET_IP is the IP address of the host in question and PORT_NUMBER is the port listed in the scan report for this QID.

For mail servers (port 25 and others) which use START TLS, you will need to use: openssl s_client -connect 66.241.44.125:25 -ssl2 -starttls smtp

If the result is an SSL handshake error similar to the example below, the host is not vulnerable:

CONNECTED(00000003)
9216:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

However, if the connection is established and a large amount of data is displayed including the SSLv2 handshake information similar to the example below, the issue was successfully reproduced.

SSL handshake has read 798 bytes and written 239 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: F2922D03DA5689A5BE15F3C7A1004B2E
Session-ID-ctx:
Master-Key: 061F4A4851422C0CA55AE99B9DAAF56E4F3E2B4410B1E221
Key-Arg : C13A05C608CABE51
Krb5 Principal: None
Start Time: 1099423702
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

EggHeadCafe - .NET Developer Portal of Choice
http://www.eggheadcafe.com
 >> Stay informed about: Subject: How to disable SSL v2 support on IIS 6.0?