I am using a site security testing suite and it says SSL 2.0 has known vulnerabilities and I should change it to SSL 3.0.
Will my current certificates still work once I switch to SSL 3.0?
How do I make the switch? Is it only in IIS or could I need to change anything on my web application?
Thanks
Best Answer
Both SSL 2.0 and SSL 3.0 are enabled in IIS 6 by default. (IIS 7, too, for that matter--go figure!) The client and server negotiate to arrive at the version of the SSL protocol to use.
Your certificates will still work. Disabling SSL 2.0 will not invalidate your existing SSL certificates. This is a protocol-level thing handled by IIS and the OS network stack, so no changes to your web application will be required.
You can disable SSL 2.0 in IIS so it will no longer offer to use that version of the protocol during negotiation; the down side of this is that you will no longer be able to communicate with browsers that only support the SSL 2.0 protocol. (This is also the good thing, as you will no longer be open to vulnerabilities in the SSL 2.0 protocol!)
The SSL 3.0 protocol specification has been around since 1996, so the universe of potential browsers you will be locking out of your site by not supporting SSL 2.0 should be pretty small, unless, of course, your site caters to users of ancient web browsers...
Additional information, including instructions on editing the registry to disable SSL 2.0, can be found in Microsoft Support Article ID 187498.
If you're really curious about what goes on during that whole "protocol negotiation" thing, additional information and references can be found in Microsoft Support Article ID 299520.