• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Possible to specify which SSL protocols/ciphers ISA is allowed to use?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Possible to specify which SSL protocols/ciphers ISA is allowed to use? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Possible to specify which SSL protocols/ciphers ISA is ... - 23.Feb.2007 7:12:34 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
I have a couple ISA servers (2004 and 2006) that are used to publish a couple HTTPS web sites.  We recently had a network audit and one of the things that came back was that the ISA servers were listing SSLv2 and >128-bit ciphers as available for use to web clients.

When I ran SSL Check from serversniff.net it seemed to confirm the results (posted below).  Is there a way to specify that ISA only accept TLS1.X/SSLv3 connections?  At the very least I need to ensure nothing less then 128-bit encryption is used but I noticed if I set the web listener in ISA 2006 to accept HTTP/HTTPS connections but redirect all incoming HTTP requests to HTTPS that the option in the web publishing rule to always use 128-bit encryption is greyed out, so I'm not sure if that means the ISA 2006 server will accept a 56-bit SSL connection, for example.  Ideally I'd like to limit ISA to 128+ bit ciphers and TLS1.X/SSLv3 only.

For reference here is the results for the ISA 2006 server.

=====================
Serversniff SSL-Check, using: 
OpenSSL 0.9.8c 05 Sep 2006 

Preferred cipher: 
TLSv1/SSLv3, Cipher is RC4-MD5 RC4(128) 

Available SSL2 ciphers: 
DES-CBC3-MD5 168 bit
RC2-CBC-MD5 128 bit
RC4-MD5 128 bit
DES-CBC-MD5 56 bit
EXP-RC2-CBC-MD5 40 bit
EXP-RC4-MD5 40 bit

Available SSL3 ciphers: 
DES-CBC3-SHA 168 bit
RC4-SHA 128 bit
RC4-MD5 128 bit
DES-CBC-SHA 56 bit
EXP-RC2-CBC-MD5 40 bit
EXP-RC4-MD5 40 bit

Available TLS1 ciphers: 
DES-CBC3-SHA 168 bit
RC4-SHA 128 bit
RC4-MD5 128 bit
DES-CBC-SHA 56 bit
EXP-RC2-CBC-MD5 40 bit
EXP-RC4-MD5 40 bit
SSL-Connection:
SSL-Overhead: SSL handshake has read 1017 bytes and written 300 bytes 
New, TLSv1/SSLv3, Default Cipher is RC4-MD5 
Length of public server-key: 1024 bit 
Default protocol : TLSv1 
Default Cipher : RC4-MD5 
TLS 1.1 support... no
fallback from TLS 1.1 to... TLS 1.0
TLS 1.0 support... yes
SSL 3.0 support... yes
server can accept Hello Extensions... yes
server can accept cipher suites not in SSL 3.0 spec... yes
server can accept a bogus TLS record version in the client hello... yes
server understands TLS closure alerts... partially
server supports session resumption... yes
ephemeral Diffie Hellman support... no
ZLIB compression support (TLS extension)... no
LZO compression support (GnuTLS extension)... no
SRP authentication support (TLS extension)... no
OpenPGP authentication support (TLS extension)... no
=====================

< Message edited by Jack in the Box -- 23.Feb.2007 11:42:18 PM >
Post #: 1
RE: Possible to specify which SSL protocols/ciphers ISA... - 24.Feb.2007 5:11:08 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jack,

yep, there seems to be a little GUI problem with the checkbox 'Require 128-bit encryption for HTTPS traffic' if the radio button 'Redirect all traffic from HTTP to HTTPS' is enabled on the Web listener.

However, you can get it to work if you perform the following steps in sequence (I only tested it on ISA 2006): 
1. go to the listener, tab Connections and make sure you select the radio button 'Do not redirect traffic from HTTP to HTTPS'.
2. next go to the rule, tab Traffic and you will see that the check box 'Notify HTTP users to use HTTPS instead' becomes available. Check that box.
3. by doing that the check box 'Require 128-bit encryption for HTTPS traffic' becomes also available. So, check that box too. 
4. finally, go back to the listener, tab Connections and now select the radio button 'Redirect all traffic from HTTP to HTTPS'.

BTW --- if you want to control which SChannel ciphers will be offered in the SSL/TLS negotiation by ISA server, check out http://support.microsoft.com/kb/245030/en-us.

HTH,
Stefaan

(in reply to Jack in the Box)
Post #: 2
RE: Possible to specify which SSL protocols/ciphers ISA... - 24.Feb.2007 12:06:02 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
Thank you very much.  I've used that KB article before but I couldn't find it, thanks for the link and thanks for the instructions on how to force 128-bit connections, I'll implement it right away.

(in reply to Jack in the Box)
Post #: 3
RE: Possible to specify which SSL protocols/ciphers ISA... - 24.Feb.2007 1:59:24 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Jack,

glad to hear I could help!

BTW --- I have opened a case with Microsoft PSS for this GUI weirdness. When I have new information about this case I will blog about it.

Thanks,
Stefaan

(in reply to Jack in the Box)
Post #: 4
RE: Possible to specify which SSL protocols/ciphers ISA... - 26.Feb.2007 9:20:07 PM   
Jack in the Box

 

Posts: 51
Joined: 21.Mar.2001
From: Edmonton, AB, CA
Status: offline
If you hear something I bet a lot of us who have noticed that peculiar behavior in the GUI would love to see a post about it.  Thanks.

(in reply to spouseele)
Post #: 5
RE: Possible to specify which SSL protocols/ciphers ISA... - 8.Nov.2008 7:16:58 AM   
LoZio

 

Posts: 7
Joined: 4.Mar.2008
Status: offline
I was also looking for solutions in setting up secure SSL connections and found this free tool
http://www.gorlani.com/publicprj/CipherControl/
that sets the reg key locally or remotely with no hassle.
Bye

(in reply to Jack in the Box)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Possible to specify which SSL protocols/ciphers ISA is allowed to use? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts