Configuring IIS7 for TLS 1.0 only

Posted by tomfanning on Server Fault See other posts from Server Fault or by tomfanning
Published on 2010-04-29T18:04:03Z Indexed on 2010/04/29 18:07 UTC
Read the original article Hit count: 699

Filed under:

tls

|

ssl

|

fips-140-2

|

iis7

|

ciper-suites

I have been tasked with configuring an IIS7 server to accept TLS 1.0 HTTPS connections only.

I have come up with the following list of cipher suites which I have deduced are TLS 1.0.

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

I have put that list in the box in the following policy: Computer Configuration | Administrative Templates | Network | SSL Configuration Settings | SSL Cipher Suite Order

Is that sufficient? Are any of the suites in my list not TLS 1.0? Are there any other TLS 1.0 suites supported by IIS7 that aren't in the list?

The server, by the way, is Windows Server 2008 R2.

Thanks

© Server Fault or respective owner

Related posts about tls

OpenVPN Error : TLS Error: local/remote TLS keys are out of sync: [AF_INET]

as seen on Server Fault - Search for 'Server Fault'
Fist off thanks for reading this, I appreciate any and all suggestions. I am having some serious problems reconnecting to my OpenVPN client using Riseup.net's VPN. I have spent a few days banging my head against the wall in attempts to set this up on my iOS devices....but that is a whole other issue… >>> More
Using SSL on slapd

as seen on Server Fault - Search for 'Server Fault'
I am setting up slapd to use SSL on Fedora 14. I have the following in my /etc/openldap/slapd.d/cn=config.ldif: olcTLSCACertificateFile: /etc/pki/tls/certs/SSL_CA_Bundle.pem olcTLSCertificateFile: /etc/pki/tls/certs/mydomain.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/mydomain.key olcTLSCipherSuite:… >>> More
OpenLDAP, howto allow both secure (TLS) and unsecure (normal) connections?

as seen on Server Fault - Search for 'Server Fault'
Installed OpenLDAP 2.4 on FreeBSD 8.1. It works for ordinary connections OR for TLS connections. I can change it by (un)commenting the following lines in slapd.conf. # Enable TLS #security ssf=128 # Disable TLS security ssf=0 Is there a way to allow the clients to connect using TLS OR no-TLS… >>> More
Can't access Postfix TLS/SSL

as seen on Server Fault - Search for 'Server Fault'
I have set up my Postfix, with TLS/SSL, correctly. Every test on the machine itself (with telnet) runs fine. However, when I want to access the server from somewhere else, it fails. So port 587 and the rest is blocked for some reason, but I don't really know where. >>> More
Directory listing through FTPS (TLS) is not working

as seen on Server Fault - Search for 'Server Fault'
We recently switched our server to require TLS for every connection. This is working flawlessly so far, but one of our clients is having problems. Some facts: Server uses Pure-FTPD Server has a passive port range configured Server has no firewall limitations regarding the FTP Client uses WS FTP Client… >>> More

Related posts about ssl

Plesk SSL Certificate (Default cert when SSL enabled, CORRECT cert when SSL is disabled)

as seen on Server Fault - Search for 'Server Fault'
I'm running Plesk 8.6.0: I have an SSL cert installed through Plesk's admin interface. But I have a bit of an issue: When I enabled SSL for the site, and selected my cert, then restart httpd, Plesk defaults to using my self-signed default certificate. Conversely, when I disable SSL support for the… >>> More
apache renew ssl not working [on hold]

as seen on Server Fault - Search for 'Server Fault'
Downloaded a new ssl cert from go daddy and installed the cert on apache2 server put the cert in /etc/ssl/certs/ folder put the gd_bundle.crt in the /etc/ssl/ folder private key is in /etc/ssl/private/private.key I just replaced the original files with the new files, did not replace the private… >>> More
Cant connect to mysql using self signed SSL certificate

as seen on Server Fault - Search for 'Server Fault'
After creating a self-signed SSL certificate, I have configured my remote mysqld to use them (and ssl is enabled) I ssh into my remote server, and try connecting to its own mysqld using ssl (mysql server is 5.5.25).. ~> mysql -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client… >>> More
How to log invalid client SSL certificate in SSL

as seen on Server Fault - Search for 'Server Fault'
I have a IIS web site which requires client certificate. I have turned off CRL checking. The client is unable to access the web site - he gets 403.17 (certificate expired) error. I would like to log the certificate he is using, becaue I think he is using the wrong certificate. Is there a way to… >>> More
Mixing SSL and non-SSL content in an Apache2 virtual host

as seen on Server Fault - Search for 'Server Fault'
I have a (hopefully) common scenario for one of my sites that I just can't seem to figure out how to deploy correctly. I have the following site and directories for example.com: These need to require SSL: /var/www/example.com/admin /var/www/example.com/order These need to be non-SSL: /var/www/example… >>> More