A web search for the string ‘disableSSLv3.ps1’ should give you a TechNet description (which might have been the source?) and a few other links.
_____ Ian Thomas Albert Park, Victoria From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Paul Glavich Sent: Monday, November 02, 2015 7:46 PM To: 'ozDotNet' Subject: RE: [OT] SSL testing You generally should fix these as it means your system is open to information leakage or inspection from malicious people. Depending on the site and what it hosts, this may not be a big issue but the tools to exploit these holes get more common as time goes on. To fix the certificate issues, just get a new cert from somewhere like Digicert that offers quality certificates that are quite cheap (note: if you have to support older OS’s like Windows XP, they will not have the necessary root certificates installed and thus complain about your cert). For the other warnings, you generally have to patch the OS to some degree. On windows systems there is a simple powershell script that you run which alters the registry and disables to fallback to older algorithms that have exploits. It does depend on the OS level though as to how much you need to do. I attached the powershell script I used to disable a older algorithms on one of my servers but make sure it suits your OS. I don’t have the link handy where I got it from tho. Sorry - Glav From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of Greg Keogh Sent: Monday, 2 November 2015 2:40 PM To: ozDotNet <ozdotnet@ozdotnet.com> Subject: Re: [OT] SSL testing I noticed a mate's shopping site over the weekend returning the following in the connection info for the certificate: I just tested my own domain with its 6 month old certificate. I also got a series of frightening warnings: This server supports SSL 2, which is obsolete and insecure. Grade set to F. This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C. Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. This server accepts the RC4 cipher, which is weak. Grade capped to B. The long and detailed list of test results are quite complicated. I'm not happy about getting an F for flunk grade, but I'm not sure what I can do about it, or if I'm even supposed to do anything. Comments ... anyone knowledgeable on these matters? Greg K
