Noonie IISCrypto is your friend. But you should really understand a little about protocols and cipher suites and the ordering thereof.
Test your public site with Qualys ssllabs. You're aiming for an A. https://www.ssllabs.com/ssltest/ Using SHA1 certs will lower the score but that's not too much of a worry. You should be able to re-key and get SHA-2 (SHA256) replacement if it concerns you. Any recently issued cert expiring on or after 1/1/2017 will be SHA2 anyway. References: https://support.microsoft.com/kb/245030 https://technet.microsoft.com/en-us/library/cc766285.aspx https://technet.microsoft.com/en-us/library/security/2880823.aspx HTH On 19 Nov 2014 01:48, "noonie" <[email protected]> wrote: > Greetings, > > The recent Poodle issues and Microsoft's broken patch (MS14-006) have now > made it necessary for me to actually understand secure connections to our > web applications because it appears that when the user can't connect to a > web server it is my web application that is broken :-^ > > For the life of me I can't find a single definitive source as to what the > registry keys actually mean. There's plenty of "do it this way" > instructions but I don't believe in magic so I want to understand what the > effects of changing the keys are likely to be. > > There are tantalising fragments, of the information I want, at various web > sites but I haven't found a good description anywhere yet. Does anybody > know of a resource I can access that explains why certain key would be > needed and what the effects of the different settings are likely to be? > > The keys I'm interested in live at:- > > HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ > > And I've read a number of articles from various sites:- > > https://www.nartac.com/blog/post/2013/04/19/IIS-Crypto-Explained.aspx > http://support2.microsoft.com/kb/2588513 > > http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html > > http://serverfault.com/questions/637195/is-there-any-reason-why-tls-1-1-and-1-2-are-disabled-on-windows-server-2008-r2 > > http://books.google.com.au/books?id=fQOLBAAAQBAJ&pg=PA448&lpg=PA448&dq=schannel+registry+keys+explained&source=bl&ots=sFcqPREgO9&sig=SUGeh2vCMkCdLOCqGlitcEt2wTw&hl=en&sa=X&ei=IOJrVK2gPISxmwWkloHICQ&ved=0CD0Q6AEwBTgU#v=onepage&q=schannel%20registry%20keys%20explained&f=false > > http://www.adminhorror.com/2011/10/enable-tls-11-and-tls-12-on-windows_1853.html > http://support2.microsoft.com/default.aspx?scid=kb;EN-US;245030 > > If there is no reasonable reference documentation could someone please > answer the following questions:- > > What is the the real effect of DisabledByDefault on both Server and Client > sub-keys? > > Are there any nonsense combinations of keys or key values for > DisabledByDefault and Enabled? > > When would I need to set both Server and Client Keys? > > Is it good practice to explicitly set all these keys or is it OK to rely > on system defaults for keys that are absent? (I know half the answer to > this one because although Windows Server 2008R2 supports TLS 1.1 & 1.2 it > will only use them if they are explicitly enabled in this registry hive!) > > -- > Regards, > noonie > > > > > > > >
