Possible to specify which SSL protocols/ciphers ISA is allowed to use? (Full Version)

All Forums >> [ISA 2006 Publishing] >> Web Publishing



Message


Jack in the Box -> Possible to specify which SSL protocols/ciphers ISA is allowed to use? (23.Feb.2007 7:12:34 PM)

I have a couple ISA servers (2004 and 2006) that are used to publish a couple HTTPS web sites.  We recently had a network audit and one of the things that came back was that the ISA servers were listing SSLv2 and >128-bit ciphers as available for use to web clients.

When I ran SSL Check from serversniff.net it seemed to confirm the results (posted below).  Is there a way to specify that ISA only accept TLS1.X/SSLv3 connections?  At the very least I need to ensure nothing less then 128-bit encryption is used but I noticed if I set the web listener in ISA 2006 to accept HTTP/HTTPS connections but redirect all incoming HTTP requests to HTTPS that the option in the web publishing rule to always use 128-bit encryption is greyed out, so I'm not sure if that means the ISA 2006 server will accept a 56-bit SSL connection, for example.  Ideally I'd like to limit ISA to 128+ bit ciphers and TLS1.X/SSLv3 only.

For reference here is the results for the ISA 2006 server.

=====================
Serversniff SSL-Check, using: 
OpenSSL 0.9.8c 05 Sep 2006 

Preferred cipher: 
TLSv1/SSLv3, Cipher is RC4-MD5 RC4(128) 

Available SSL2 ciphers: 
DES-CBC3-MD5 168 bit
RC2-CBC-MD5 128 bit
RC4-MD5 128 bit
DES-CBC-MD5 56 bit
EXP-RC2-CBC-MD5 40 bit
EXP-RC4-MD5 40 bit

Available SSL3 ciphers: 
DES-CBC3-SHA 168 bit
RC4-SHA 128 bit
RC4-MD5 128 bit
DES-CBC-SHA 56 bit
EXP-RC2-CBC-MD5 40 bit
EXP-RC4-MD5 40 bit

Available TLS1 ciphers: 
DES-CBC3-SHA 168 bit
RC4-SHA 128 bit
RC4-MD5 128 bit
DES-CBC-SHA 56 bit
EXP-RC2-CBC-MD5 40 bit
EXP-RC4-MD5 40 bit
SSL-Connection:
SSL-Overhead: SSL handshake has read 1017 bytes and written 300 bytes 
New, TLSv1/SSLv3, Default Cipher is RC4-MD5 
Length of public server-key: 1024 bit 
Default protocol : TLSv1 
Default Cipher : RC4-MD5 
TLS 1.1 support... no
fallback from TLS 1.1 to... TLS 1.0
TLS 1.0 support... yes
SSL 3.0 support... yes
server can accept Hello Extensions... yes
server can accept cipher suites not in SSL 3.0 spec... yes
server can accept a bogus TLS record version in the client hello... yes
server understands TLS closure alerts... partially
server supports session resumption... yes
ephemeral Diffie Hellman support... no
ZLIB compression support (TLS extension)... no
LZO compression support (GnuTLS extension)... no
SRP authentication support (TLS extension)... no
OpenPGP authentication support (TLS extension)... no
=====================




spouseele -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (24.Feb.2007 5:11:08 AM)

Hi Jack,

yep, there seems to be a little GUI problem with the checkbox 'Require 128-bit encryption for HTTPS traffic' if the radio button 'Redirect all traffic from HTTP to HTTPS' is enabled on the Web listener.

However, you can get it to work if you perform the following steps in sequence (I only tested it on ISA 2006): 
1. go to the listener, tab Connections and make sure you select the radio button 'Do not redirect traffic from HTTP to HTTPS'.
2. next go to the rule, tab Traffic and you will see that the check box 'Notify HTTP users to use HTTPS instead' becomes available. Check that box.
3. by doing that the check box 'Require 128-bit encryption for HTTPS traffic' becomes also available. So, check that box too. 
4. finally, go back to the listener, tab Connections and now select the radio button 'Redirect all traffic from HTTP to HTTPS'.

BTW --- if you want to control which SChannel ciphers will be offered in the SSL/TLS negotiation by ISA server, check out http://support.microsoft.com/kb/245030/en-us.

HTH,
Stefaan




Jack in the Box -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (24.Feb.2007 12:06:02 PM)

Thank you very much.  I've used that KB article before but I couldn't find it, thanks for the link and thanks for the instructions on how to force 128-bit connections, I'll implement it right away.




spouseele -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (24.Feb.2007 1:59:24 PM)

Hi Jack,

glad to hear I could help! [:)]

BTW --- I have opened a case with Microsoft PSS for this GUI weirdness. When I have new information about this case I will blog about it.

Thanks,
Stefaan




Jack in the Box -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (26.Feb.2007 9:20:07 PM)

If you hear something I bet a lot of us who have noticed that peculiar behavior in the GUI would love to see a post about it.  Thanks.




LoZio -> RE: Possible to specify which SSL protocols/ciphers ISA is allowed to use? (8.Nov.2008 7:16:58 AM)

I was also looking for solutions in setting up secure SSL connections and found this free tool
http://www.gorlani.com/publicprj/CipherControl/
that sets the reg key locally or remotely with no hassle.
Bye




Page: [1]