How To Enable SSL 3.0 Server 2008 /SBS 2008/SBS2011
Problem
Server 2008,server 2008 SBS and SBS 2011 do have the functionality for SSL 3.0 however by default it does not understand anything that tries to connect with this protocol. For security reasons if you need to enable SSL 3.0 on your server we can enable it with some additioanl registry keys. Follow the step by step guide below.
Resolution
(MAKE SURE THAT YOU BACKUP YOUR REGISTRY BEFORE APPLYING THOSE CHANGES)
• Using regedit to add the following keys ( right click on protocols -> new -> key -> “SSL 2.0″ then “SSL 3.0″ then “TLS 1.0″ )
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
• Under each of the keys above you need to create additional keys “Client” and “Server”
For SSL 2.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
For SSL 3.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
For TLS 1.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Then you will have to create DWORD (32bit) value called “Enabled” under each “Client” and “Server” key for “SSL 2.0, SSL 3.0 and TLS 1.0″
DWORD (32bit) Value
Value name = Enabled
Value date = 0
Value date can be set to “1″ – Enabled or “0″ – Disabled
In my scenario the values were “enabled” (set to 1) for SSL 3.0 and TLS 1.0 and “disabled” (set to 0) for SSL 2.0
Here is a disabled value for ssl 2.0
and here is SSL 3.0 enabled
• Next step is to add correct Ciphers, to do so you will have to navigate to the following key in the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Ciphers
• (right click on “Cliphers” New -> Key)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
• That’s all! Now you need to restart your server to apply those changes.
• If you are using TMG 2010 or ISA 2006 to publish the website externally you will need to apply exactly the same settings to registry to it.
Related posts:
Tweet This
Share on Facebook
Digg This
Save to delicious
Stumble it
RSS Feed
Noticed in SBS 2011 that the only ~\SCHANNEL\Protocols key I’ve got is SSL 2.0\Client
A Compliance Scan by Security Metrics is pushing for use of SSL 3.0 and ceasing SSL 2.0. This guide is useful assuming it can be carried forward for use with SBS 2011 (Win2k8R2 underneath). Perhaps you could make a comment that it in fact is applicable to the current SBS 2011 system. …Thx Dale
Hi Dale, thanks for your input, Ive updated the article as it also covers SBS2011 ( effectively 2008 R2 ). I currently have a client who is having similar issues with securtiy metrics.. they are having that many issues they are think of using another compliance company.
Thanks
Al