I have schannel configured to disallow insecure protocols and ciphers as per standard recommendations but I Sslscan only reports AES & 3DES as available cipher options.
Although RC4 should be enabled, and is setup as the preferred cipher, it just doesn't come up as an option.
The schannel registry settings are configured as follows:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Ciphers
AES 128/128: Enabled (1)
AES 256/256: Enabled (1)
DES 56/56: Enabled (0)
NULL: Enabled (0)
RC2 128/128: Enabled (0)
RC2 40/128: Enabled (0)
RC2 56/128: Enabled (0)
RC4 128/128: Enabled (1)
RC4 40/128: Enabled (0)
RC4 56/128: Enabled (0)
RC4 64/128: Enabled (0)
Triple DES 168/168: Enabled (1)
Protocols
PCT 1.0
Server: Enabled (0)
SSL 2.0
Server: Enabled (0)
SSL 3.0
Server: Enabled (1)
TLS 1.0
Server: Enabled (1)
TLS 1.1
Server: DisabledByDefault (0), Enabled (1)
TLS 1.2
Server: DisabledByDefault (0), Enabled (1)
HKLM\SYSTEM\CurrentControlSet\Control\
The output of SSLScan is:
Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 128 bits IDEA-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Failed SSLv3 256 bits ADH-AES256-SHA
Failed SSLv3 256 bits DHE-RSA-AES256-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-SHA
Failed SSLv3 256 bits AES256-SHA
Failed SSLv3 128 bits ADH-AES128-SHA
Failed SSLv3 128 bits DHE-RSA-AES128-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-SHA
Failed SSLv3 128 bits AES128-SHA
Failed SSLv3 168 bits ADH-DES-CBC3-SHA
Failed SSLv3 56 bits ADH-DES-CBC-SHA
Failed SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Failed SSLv3 128 bits ADH-RC4-MD5
Failed SSLv3 40 bits EXP-ADH-RC4-MD5
Failed SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Failed SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Failed SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 56 bits DES-CBC-SHA
Failed SSLv3 40 bits EXP-DES-CBC-SHA
Failed SSLv3 128 bits IDEA-CBC-SHA
Failed SSLv3 40 bits EXP-RC2-CBC-MD5
Failed SSLv3 128 bits RC4-SHA
Failed SSLv3 128 bits RC4-MD5
Failed SSLv3 40 bits EXP-RC4-MD5
Failed SSLv3 0 bits NULL-SHA
Failed SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits ADH-AES256-SHA
Failed TLSv1 256 bits DHE-RSA-AES256-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Failed TLSv1 128 bits ADH-AES128-SHA
Failed TLSv1 128 bits DHE-RSA-AES128-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Failed TLSv1 168 bits ADH-DES-CBC3-SHA
Failed TLSv1 56 bits ADH-DES-CBC-SHA
Failed TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Failed TLSv1 128 bits ADH-RC4-MD5
Failed TLSv1 40 bits EXP-ADH-RC4-MD5
Failed TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Failed TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Failed TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Failed TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Failed TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 56 bits DES-CBC-SHA
Failed TLSv1 40 bits EXP-DES-CBC-SHA
Failed TLSv1 128 bits IDEA-CBC-SHA
Failed TLSv1 40 bits EXP-RC2-CBC-MD5
Failed TLSv1 128 bits RC4-SHA
Failed TLSv1 128 bits RC4-MD5
Failed TLSv1 40 bits EXP-RC4-MD5
Failed TLSv1 0 bits NULL-SHA
Failed TLSv1 0 bits NULL-MD5
Prefered Server Cipher(s):
SSLv3 168 bits DES-CBC3-SHA
TLSv1 256 bits AES256-SHA
As you can see, RC4 is not accepted as an option.
I've used the same configuration (except for TLS 1.1-1.2) on Windows 2003R2/IIS6 servers before and RC4 hasn't been a problem.
Can anyone help me find why RC4 128/128 is not working?
Thanks!
Answer
The issue why RC4 isn't working is that is has to be set to 0xfffffff or 4294967295 in the registry, not 1 to enable it.
Here's some PowerShell functions which were used to set our IIS installs up with the PCI compliant:
This function is used to enable/disable required protocols
function Set-IISSecurityProtocols {
$protopath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
& reg.exe add "$protopath\PCT 1.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
}
And this function is where you set what ciphers are allowed to be used, or not used
function Set-IISSupportedCiphers {
$cipherpath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"
& reg.exe add "$cipherpath\NULL" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\DES 56/56" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 40/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 56/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 128/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 40/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 56/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 64/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\Triple DES 168/168" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\AES 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\AES 256/256" /v Enabled /t REG_DWORD /d 4294967295 /f
}
Once these changes have been set (A reboot is required afaik) you then can set the priority in which the ciphers are used.
To immune the BEAST vulnerability it's reccomended you used RC4 first as outlined @ http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php
This will be the case until either
- All browsers patch the BEAST vulnerability
- Or everyone starts supporting TLS1.2
No comments:
Post a Comment