When I'm ordering an SSL cert for my public web server, how can I be sure that the web server (IIS 6 in my case) will only allow SSL/TLS client connections supporting our corporate standard of at least 128-bits symmetric encryption.
I'm aware you can purchase an SSL cert that supports 128-bit, but during handshaking the client can possibly choose to downgrade the connection to, say, SSLv2 and run with 40-bit encryption.
How can I enforce the client must run 128-bits or better?
Best Answer
Enforcing 128-bit encryption keys via the check box is step 1 to enforcing strong SSL on your webserver, but without explicitly disabling weak encryption algorithms in the registry, clients can request to use less secure methods of encryption (while using keys that are 128-bits in length). Here is the KB for editing the registry http://support.microsoft.com/kb/245030.
However, I followed this, rescanned for vulnerabilities and found that I missed some so here is an article that better explains what to turn off: http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html. You will need to reboot after you are done for the changes to take effect.