I have been tasked with configuring an IIS7 server to accept TLS 1.0 HTTPS connections only.
I have come up with the following list of cipher suites which I have deduced are TLS 1.0.
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
I have put that list in the box in the following policy:
Computer Configuration | Administrative Templates | Network | SSL Configuration Settings | SSL Cipher Suite Order
Is that sufficient? Are any of the suites in my list not TLS 1.0? Are there any other TLS 1.0 suites supported by IIS7 that aren't in the list?
The server, by the way, is Windows Server 2008 R2.
Thanks
Best Answer
Limiting the ciphersuites is not the right method, as they could be negotiated by SSLv3 client as well, which will result in SSLv3. The best way is to follow the article Robert pointed to (http://support.microsoft.com/kb/187498) and set the proper registry keys. Anything other than that is prone to errors.