IIS site down after disabling TLS 1.2 - iis

I have an IIS helpdesk system (3rd party so I don't have code access) running on Windows Server 2019 and IIS 10. One of the features it has is to connect to mailboxes via IMAP. When we try and use this it gives us an SSL error.
I was advised by our exchange team that the exchange server uses TLS 1.2, so I enabled it on the server. However, our network team have since advised that the connection attempt is actually being made via TLS 1.0 so I need to ensure TLS 1.1 and 1.2 are disabled on the app server.
I enabled TLS 1.0 and disabled TLS 1.1 without any issues, however when I disable TLS 1.2, the web page for the helpdesk system goes down and just gives an HTTP 500 error. Only when I re-enable TLS 1.2 does it start working again.
I found a few pages on Google of things to try, such as removing and re-adding the bindings in IIS after disabling TLS 1.2 but this hasn't worked.
Any idea why disabling TLS 1.2 breaks the web page? TLS 1.2 was disabled when I first installed the helpdesk system the page worked fine then. According to the vendor of the system, it just uses the TLS version configured on the server, so why does it seem to rely on 1.2? Is there a setting somewhere in IIS that tells it which version to use that needs updating? I didn't have to set anything when I enabled 1.2.
Thanks in advance.

... that the connection attempt is actually being made via TLS 1.0 so I need to ensure TLS 1.1 and 1.2 are disabled on the app server
This conclusion is wrong. TLS versions are not exclusiv to each other. To support TLS 1.0 clients you need to enable TLS 1.0, but keep TLS 1.1 and TLS 1.2 enabled.

You can support both TLS 1.0 and TLS 1.2. Which one is actually used also depends on the other end. Configuring 1.2 everywhere will make it work with 1.2, but you can also leave 1.0 on in case you miss a device that is still using 1.0. TLS is backward compatible. Systems using TLS1.1 and TLS1.0 will continue to function when TLS1.2 is enabled, so if any of your processing requires TLS1.0 and TLS1.1, it will remain available. Nonetheless, it is recommended that your developers upgrade to only run on TLS 1.2. This is necessary because current security standards no longer consider TLS 1.0 and TLS 1.1 to be secure.

Related

Is there a Npgsql release that works with TLS 1.2 and Azure Data Catalog?

could you please advise how I can use Npgsql to enable Azure Data Catalog (ADC) to access an Azure Database for PostgreSQL Server using TLS >= 1.2?
I get the following error when I use the local application for ADC:
When I have no Npgsql version installed
When I have Npgsql version 4.1.4 installed
I get the following error when I use the local application for ADC, and have Npgsql version 2.2.4.3 installed, and the Postgres server uses minimum TLS >= 1.1:
I am able to use the local application for ADC to connect to Postgres, when I set the minimum TLS version to 1.0. However my workplace requires TLS 1.2.
I am receiving a similar issue in Power BI, so I assume this issue is not specific to ADC.
Things I've tried:
Searching the web. I found no applicable info.
Raising the issue with Microsoft. They have not provided an answer.

Websphere 8.5 : Using multiple TLS version for outbound

I am working on configuring multiple TLS version in websphere bpm 8.5.6 .i have selected SSL_TLSV2 to use all tls versions. I am able to see the configuration updated on ssl.client.props file after restart.
But still calls from websphere are rejected by salesforce
UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https
Can anyone help me in configuring multiple tls version through which i can use tls 1.0 and 1.1
Thanks in advance

Disabling TLS 1.0 Windows 2008 R2

For PCI Compliance, TLS 1.0 needs to be disabled. I was able to get this working on Windows 2012 with no problem by editing the registry as follows:
Add DWORD DisabledByDefault and set to 1 for
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Then I rebooted the server. TLS is showing as disabled when running an nmap scan. However doing the same for Windows 2008 R2 doesn't work even though https://support.microsoft.com/en-us/kb/187498 states that it should. When I make the changes to Windows 2008 R2, the SSL site does not show in a browser at all (tried multiple browsers to rule out browser issues).
When hitting the SSL site in Chrome, I get ERR_CONNECTION_RESET but I can telnet to port 443 which would rule out IIS and networking issues. It seems the specific Server key is the one causing issues. When I remove that, the site works in a browser but then nmap shows that TLSv1.0 is enabled which goes back to square one.
Any ideas on getting TLS 1.0 disabled on Windows 2008 R2? I'm out of ideas and have tried a few combinations to no avail.
Thanks for any help!
I was getting the same thing in Windows Server 2008 R2 until I manually added and enabled the TLS 1.1 and TLS 1.2 keys and subkeys and restarted.
Make sure that both the Client and Server subkeys have these DWORD values.
DisabledByDefault = 00000000
Enabled = ffffffff
Check out this Windows support article on the subject https://support.microsoft.com/en-us/kb/245030. (Scroll down to the "For later versions of Windows" section toward the bottom.)

How to disable SSL/TLS renegotiation capability in JBOSS7?

I am running my web application on a JBOSS 7 server. After running an automated scan on the web application it alerts for a TLS1/SSLv3 Renegotiation Vulnerability. On researching a little bit I found that this can be fixed by disabling the capability of jboss server to renegotiate.
I am aware that this was possible in JBOSS 5 by specifying a property of the connector attribute. But this is not possible in JBOSS 7.
Also I am using JDK 1.7 which the documents indicate has the fix.
Anybody has any thoughts on how to fix this vulnerability?

Using SSLv3 in IIS 6.0

I recently got a notification from a McAfee service (what used to be called HackerSafe) that my website is using SSLv2 and it should be using SSLv3. I don't know anything about the versions of SSL. My site is using IIS 6.0, is there a setting somewhere to turn on SSLv3 or do I need to install something to make this happen? Also, is there any drawbacks to only using SSLv3? Are there browsers that can only use v2?
The Microsoft KB Article referenced in TravisO's answer is helpful for general reference. I used the information from that article along with information gathered from ServerSniff.net's SSL analysis tool
Also, you can copy and paste the following snippet into a .reg file to quickly disable SSLv2 on a web farm:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
In regards to browser support for SSLv3, the following information should help (taken from the McAfee Scan Alert):
In Internet Explorer 7, the default
HTTPS protocol settings are changed to
disable the weaker SSLv2 protocol and
to enable the stronger TLSv1 protocol.
By default, IE7 users will only
negotiate HTTPS connections using
SSLv3 or TLSv1. Mozilla Firefox is
expected to drop support for SSLv2 in
its upcoming versions.
As almost all modern browsers support
SSLv3, disabling support for the
weaker SSL method should have minimal
impact. The following browsers support
SSLv3:
Internet Explorer 5.5 or higher (PC)
Internet Explorer 5.0 or higher (Mac)
Netscape 2.0 (Domestic) or higher (PC/Mac)
Firefox 0.8 or higher (PC/Mac/Linux)
Mozilla 1.7 or higher (PC/Mac/Linux)
Camino 0.8 or higher (Mac)
Safari 1.0 or higher (Mac)
Opera 1.7 or higher (PC/Mac)
Omniweb 3.0 or higher (Mac)
Konqueror 2.0 or higher (Linux)
Microsoft has a KB article on disabling SSLv3, obviously it's in the same place as enabling it.
http://support.microsoft.com/kb/187498/en-us
If you are looking at fixing this you will probably also want the to fix weak ciphers since most scanners will complain about both. That is Microsoft KB245030. Generally any browser that supports SSLv3 will also support newer and stronger ciphers than the ones turned off by the scripts at that link.

Resources