I have reviewed both related posts on this site:
How do I disable SSL 2.0 support on IIS?
How to disable SSL 2.0 on IIS 7.5?
The issue I am having is that I have implemented the registry change, rescanned my websites, and I am still being told that IIS 6 is allowing SSL 2.0 connections.
Here's the verbage from the scanning site:
Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
QUESTIONS:
- How do I test this myself so I can continue to troubleshoot the issue?
- Is there a tool out there that I can use to test?
- Would I need to disable other connection methods? [PCT 1.0 / TLS 1.0]
Thanks
Best Answer
You will need to disable PCT 1.0 as well as SSLv2, as it is no longer used. If you follow the MS KB, then you should be fine. You can use ssllabs.com to test your server if it is reachable over the Internet. Also you could use the G-SEC tool for configuring SSL/TLS on Windows.