Welcome to ISAserver.org

Possible to specify which SSL protocols/ciphers ISA is allowed to use?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Possible to specify which SSL protocols/ciphers ISA is allowed to use?

Page: [1]

Message

<< Older Topic Newer Topic >>

Possible to specify which SSL protocols/ciphers ISA is ... - 23.Feb.2007 7:12:34 PM

Jack in the Box

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline

I have a couple ISA servers (2004 and 2006) that are used to publish a couple HTTPS web sites. We recently had a network audit and one of the things that came back was that the ISA servers were listing SSLv2 and >128-bit ciphers as available for use to web clients.

When I ran SSL Check from serversniff.net it seemed to confirm the results (posted below). Is there a way to specify that ISA only accept TLS1.X/SSLv3 connections? At the very least I need to ensure nothing less then 128-bit encryption is used but I noticed if I set the web listener in ISA 2006 to accept HTTP/HTTPS connections but redirect all incoming HTTP requests to HTTPS that the option in the web publishing rule to always use 128-bit encryption is greyed out, so I'm not sure if that means the ISA 2006 server will accept a 56-bit SSL connection, for example. Ideally I'd like to limit ISA to 128+ bit ciphers and TLS1.X/SSLv3 only.

For reference here is the results for the ISA 2006 server.

=====================
Serversniff SSL-Check, using:
OpenSSL 0.9.8c 05 Sep 2006

Preferred cipher:
TLSv1/SSLv3, Cipher is RC4-MD5 RC4(128)

Available SSL2 ciphers:
DES-CBC3-MD5 168 bit
RC2-CBC-MD5 128 bit
RC4-MD5 128 bit
DES-CBC-MD5 56 bit
EXP-RC2-CBC-MD5 40 bit
EXP-RC4-MD5 40 bit

Available SSL3 ciphers:
DES-CBC3-SHA 168 bit
RC4-SHA 128 bit
RC4-MD5 128 bit
DES-CBC-SHA 56 bit
EXP-RC2-CBC-MD5 40 bit
EXP-RC4-MD5 40 bit

Available TLS1 ciphers:
DES-CBC3-SHA 168 bit
RC4-SHA 128 bit
RC4-MD5 128 bit
DES-CBC-SHA 56 bit
EXP-RC2-CBC-MD5 40 bit
EXP-RC4-MD5 40 bit
SSL-Connection:
SSL-Overhead: SSL handshake has read 1017 bytes and written 300 bytes
New, TLSv1/SSLv3, Default Cipher is RC4-MD5
Length of public server-key: 1024 bit
Default protocol : TLSv1
Default Cipher : RC4-MD5
� TLS 1.1 support... no
� fallback from TLS 1.1 to... TLS 1.0
� TLS 1.0 support... yes
� SSL 3.0 support... yes
� server can accept Hello Extensions... yes
� server can accept cipher suites not in SSL 3.0 spec... yes
� server can accept a bogus TLS record version in the client hello... yes
� server understands TLS closure alerts... partially
� server supports session resumption... yes
� ephemeral Diffie Hellman support... no
� ZLIB compression support (TLS extension)... no
� LZO compression support (GnuTLS extension)... no
� SRP authentication support (TLS extension)... no
� OpenPGP authentication support (TLS extension)... no
=====================

< Message edited by Jack in the Box -- 23.Feb.2007 11:42:18 PM >

Post #: 1

Featured Links*

RE: Possible to specify which SSL protocols/ciphers ISA... - 24.Feb.2007 5:11:08 AM

spouseele

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Jack,

yep, there seems to be a little GUI problem with the checkbox 'Require 128-bit encryption for HTTPS traffic' if the radio button 'Redirect all traffic from HTTP to HTTPS' is enabled on the Web listener.

However, you can get it to work if you perform the following steps in sequence (I only tested it on ISA 2006):
1. go to the listener, tab Connections and make sure you select the radio button 'Do not redirect traffic from HTTP to HTTPS'.
2. next go to the rule, tab Traffic and you will see that the check box 'Notify HTTP users to use HTTPS instead' becomes available. Check that box.
3. by doing that the check box 'Require 128-bit encryption for HTTPS traffic' becomes also available. So, check that box too.
4. finally, go back to the listener, tab Connections and now select the radio button 'Redirect all traffic from HTTP to HTTPS'.

BTW --- if you want to control which SChannel ciphers will be offered in the SSL/TLS negotiation by ISA server, check out http://support.microsoft.com/kb/245030/en-us.

HTH,
Stefaan

(in reply to Jack in the Box)

Post #: 2

RE: Possible to specify which SSL protocols/ciphers ISA... - 24.Feb.2007 12:06:02 PM

Jack in the Box

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline

Thank you very much. I've used that KB article before but I couldn't find it, thanks for the link and thanks for the instructions on how to force 128-bit connections, I'll implement it right away.

(in reply to Jack in the Box)

Post #: 3

RE: Possible to specify which SSL protocols/ciphers ISA... - 24.Feb.2007 1:59:24 PM

spouseele

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Jack,

glad to hear I could help!

BTW --- I have opened a case with Microsoft PSS for this GUI weirdness. When I have new information about this case I will blog about it.

Thanks,
Stefaan

(in reply to Jack in the Box)

Post #: 4

RE: Possible to specify which SSL protocols/ciphers ISA... - 26.Feb.2007 9:20:07 PM

Jack in the Box

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline

If you hear something I bet a lot of us who have noticed that peculiar behavior in the GUI would love to see a post about it. Thanks.

(in reply to spouseele)

Post #: 5

RE: Possible to specify which SSL protocols/ciphers ISA... - 8.Nov.2008 7:16:58 AM

LoZio

Posts: 7
Joined: 4.Mar.2008
Status: offline

I was also looking for solutions in setting up secure SSL connections and found this free tool
http://www.gorlani.com/publicprj/CipherControl/
that sets the reg key locally or remotely with no hassle.
Bye

(in reply to Jack in the Box)