SSL/TLS protocol - disabling weak ciphers and server security

If we enable the use of SSL/TLS encryption on a web server, we can configure various parameters. We usually have the option to restrict the ciphers used, so we can disable weak ciphers and set their order to prioritize Forward Secrecy. By default, usually all ciphers are allowed. Let's look at the settings of the most widespread web/application servers.

Apache HTTP Server

The Apache web server uses the OpenSSL library for SSL/TLS. This brings both advantages and disadvantages. If there is a vulnerability in this library (like the recent Heartbleed bug and others), this server is also vulnerable. In general, it is a good idea to use the latest version of OpenSSL and also the Apache server, because for example the support for elliptic curves (and thus ECDHE, which is recommended due to the Forward Secrecy property) is only from version Apache 2.3.3, in this version OCSP Stapling support (which is recommended to use) was also added. From version Apache 2.4.7, the Diffie-Hellman parameters are automatically configured (previously 1024 bits was always used). To use the TLSv1.1 and TLSv1.2 protocols, OpenSSL version 1.0.1 or higher is required.

Note: In connection with the POODLE attack, the security feature TLS_FALLBACK_SCSV was automatically included in OpenSSL 1.0.1j.

OpenSSL also contains tools for working with certificates, such as issuing a request (and a private key), creating a self-signed certificate, format conversions, checking or removing a passphrase from a private key.

Apache Configuration

Apache uses the mod_ssl module and the configuration is done using directives mostly in the main configuration file (httpd-ssl.conf or httpd.conf). The directives are usually entered in the server config or virtual host section. Official documentation Apache Module mod_ssl.

Some of the commonly used directives:

• SSLEngine - enabling SSL/TLS
• SSLCompression - allows enabling compression, not recommended as it allows the CRIME attack, the directive is available from version 2.2.24, in versions 2.2.24 and 2.2.25 the default value was on and only later off
• SSLHonorCipherOrder - normally the client's preference is used for the cipher selection, this way we can use the server's preference
• SSLProtocol - allowed protocols
• SSLCipherSuite - allowed ciphers, entered as a list separated by colons, using prefixes + to add to a given position in the list, - to remove, ! to completely remove (cannot be added another way), without a prefix means adding to the list
• SSLRequireSSL - enforcing the use of SSL
• SSLVerifyClient - client certificate verification
• SSLCertificateFile - PEM-encoded (Base64) X.509 server certificate (text format starting with -----BEGIN CERTIFICATE-----), extension pem, cer, crt, the certificate may include the private key, if we want to use multiple ciphers (authentication), we can use multiple certificates of different types (RSA, DSA, elliptic curves ECC - ECDSA) in parallel
• SSLCertificateKeyFile - PEM-encoded private key for the server certificate, extension key
• SSLCertificateChainFile - a single file that may contain multiple PEM-encoded authority certificates chained together (placed one after the other in the file), the first is the authority that issued the server certificate, then the chain can continue up to the root authority, these certificates are then sent by the server to the browser along with the server certificate, extension pem, cer, crt
• SSLCACertificateFile - CA certificate (or multiple in one file) for verifying client certificates

Example configuration for SSL with optimized ciphers (weak and dangerous ones are disabled and the order is specified)

SSLEngine on
SSLCompression off
SSLHonorCipherOrder on

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES:EDH+AES:EDH+CAMELLIA:EECDH+3DES:EDH+3DES:RSA+AES:RSA+CAMELLIA:RSA+3DES

SSLCertificateFile /path/to/certificate
SSLCertificateKeyFile /path/to/private/key
SSLCertificateChainFile /path/to/CA_certificates

Note: The enabling of SSL and the certificate file would likely be placed in the VirtualHost section, the rest in the main section. In newer versions of Apache, SSLv2 is no longer supported at all and is not part of All. Changes will take effect after restarting the server (or reloading the configuration).

Choosing Protocols and Ciphers

It is important and complicated to choose the right set of ciphers in the SSLCipherSuite directive and the protocols in SSLProtocol. There are many options and perhaps none are ideal. We will definitely not enable the SSL 2 protocol and it is also a good idea to disable SSL 3, which would only affect the Internet Explorer 6 in its default state (we can enable TLS 1.0 support in the configuration).

If we support TLS 1.0 (which we probably do), we have to decide whether to use the weak RC4 cipher or disable it and be vulnerable to the BEAST attack (which is now considered the lesser evil). Similarly, for the oldest clients on Windows XP (if we want to support them), whether to use RC4 or 3DES.

It is also a good idea to order the list so that the ciphers supporting Perfect Forward Secrecy are at the beginning. We can find many examples of settings on the internet, mostly using RC4, but the latest discussions tend to avoid using it.

Note: If we have an RSA certificate, the authentication will be RSA and ECDSA or DSS will not be offered, even if we have them configured.

Ciphers can be specified by an exact list, a list of groups, or by allowing all and listing the forbidden types. It would seem more appropriate to allow a set of ciphers and list the forbidden ones, because if a new cipher were added in the future, we would automatically support it. But it is often easier to list the allowed ones, mainly because we want to determine their order. Some other examples of cipher lists are below, the first variant is resistant to BEAST and POODLE when using SSL 3 (uses RC4).

SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SEED

SSLCipherSuite ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

SSLCipherSuite TLSv1.2:RC4:HIGH:!aNULL:!eNULL:!MD5 

SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!RC2:!RC4:!DES:!IDEA:!SEED:!aNULL:!ADH:!PSK:!MD5:+HIGH:+MEDIUM

Apache Tomcat

The Tomcat application server uses two different SSL implementations. The APR (Apache Portable Runtime) implementation, which normally uses the OpenSSL libraries, or the JSSE (Jave Secure Socket Extensions) implementation, which is part of the Java runtime. The available protocols and ciphers depend on the libraries used and their versions. Currently, APR with the latest version of OpenSSL is likely the better choice.

The official documentation (for Tomcat 7) can be found in the articles Apache Tomcat 7 - SSL Configuration HOW-TO, Apache Tomcat 7 - The HTTP Connector.

Note: We discussed the considerations for protocols and ciphers in the previous article and also for the Apache HTTP Server.

The SSL/TLS configuration for Tomcat is done in the server.xml file. Regarding SSL/TLS, it is mainly the Connector element where we enter various attributes. Whether the APR or JSSE implementation is used is automatically determined by the Tomcat installation (for APR we need a special one) or we can define it manually with the protocol attribute.

• HTTP/1.1 - uses automatic selection
• org.apache.coyote.http11.Http11Protocol - blocking Java connector (BIO JSSE)
• org.apache.coyote.http11.Http11NioProtocol - non-blocking Java connector (NIO JSSE)
• org.apache.coyote.http11.Http11AprProtocol - APR connector (the library must be available)

Several other attributes are common to both implementations, the main ones are:

• port - TCP port where the server socket for incoming connections is created
• protocol - the used protocol, see above
• SSLEnabled - enabling SSL/TLS on the connector
• scheme - the protocol name for the application
• secure - SSL information for the application

Additional attributes for SSL configuration are different for JSSE or APR, and the certificate format also differs. After modifying the configuration, the server needs to be restarted.

JSSE SSL - Native Java BIO, NIO

In this case, it depends on which Java we are using, for example OpenJDK is worse in terms of cipher support than Oracle JDK. Additionally, we can use a different crypto implementation (by placing the JAR file in the ext folder and setting the provider list in the java.security file), for example Bouncy Castle, which is better. Oracle Java supports TLS 1.2 only from version 7.

Tomcat (Java) uses a keystore file to store certificates and private keys for the server. We can use OpenSSL tools to work with this file, but more often the keytool utility, which is part of the JRE (Java Runtime Environment), is used. The keystore can be in JKS (Java KeyStore) format, the standard Java format handled by the keytool tool, PKCS11 and PKCS12 (Public-Key Cryptography Standards #12) formats. PKCS12 is an internet standard, commonly using the p12 or pfx extensions, and is used in Windows - tools like OpenSSL can work with it. If we use a format other than JKS, we need to specify keystoreType="PKCS12" in the configuration.

Commonly used attributes

• sslProtocol - a single value specifying the allowed protocols
• sslEnabledProtocols - a comma-separated list of allowed protocols (used from Tomcat 6.0.38, in older versions sslProtocols serves the same purpose)
• ciphers - a comma-separated list of allowed ciphers (the value ALL allows all)
• keystoreFile - the keystore file
• keystoreType - the keystore type
• keystorePass - the keystore password
• clientAuth - client authentication using certificates

Cipher and protocol names, as used by Java, can be found in the documentation Java Cryptography Architecture Standard Algorithm Name Documentation. The rules are similar to what we described earlier. Additionally, Java (apparently up to version 8) uses 768-bit DHE keys, which are not secure (Java 8 should address this), so it is recommended to use only ECDHE. We cannot specify the order of ciphers, so we cannot prioritize Forward Secrecy, this is supported from Tomcat 8 with Java 8.

Java has a default restriction on strong ciphers, if we want to use 256-bit AES (and not just 128-bit), we need to download and install (copy two small files into the JDK/JRE folder) the JCE Unlimited Strength Jurisdiction Policy Files.

Example configuration

<Connector protocol="org.apache.coyote.http11.Http11Protocol" 
    port="8443" SSLEnabled="true" scheme="https" secure="true" 
    sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
    clientAuth="false"
    keystoreFile="/path/to/PKCS12certificate"
    keystoreType="PKCS12"
    keystorePass="passw"
    maxThreads="200" acceptCount="100" />

APR - OpenSSL

When using the OpenSSL library, everything is similar to what we described for the Apache HTTP Server (the required version is 1.0.1 to support TLSv1.1 and TLSv1.2, the configuration method, etc.). Currently, the use of OpenSSL is better than JSSE, as it supports newer ciphers. Here we list only the main attributes.

• SSLProtocol - allowed protocols, currently we can only use the keywords ALL, SSLv2, SSLv3 and TLSv1 and their combination with the plus sign, the ALL notation is the same as SSLv3+TLSv1 and will allow SSL 3, TLS 1.0, TLS 1.1, TLS 1.2, if we use TLSv1, we only get TLS 1.0, currently it is not possible to block SSL 3 and allow all three TLS versions (according to the changelog, this should be possible in the upcoming Tomcat 7.0.57 version)
• SSLCipherSuite - allowed ciphers
• SSLHonorCipherOrder - the server determines the order of ciphers
• SSLVerifyClient - client authentication using certificates
• SSLDisableCompression - disabling SSL compression, available from version 7.0.36

Example configuration

<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" 
   port="8443" SSLEnabled="true" secure="true" scheme="https" 
   SSLProtocol="ALL" 
   SSLCipherSuite="EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SEED"
   SSLHonorCipherOrder="true" SSLDisableCompression="true" 
   SSLCertificateFile="/path/to/certificate"
   SSLCertificateChainFile="/path/to/CA_certificates"
   SSLCertificateKeyFile="/path/to/private/key"
   SSLPassword="passw"
   maxThreads="200" acceptCount="100" />

The cipher list in the example uses RC4 due to the POODLE and BEAST attacks. If we disable SSL 3, we can use the same list as in Apache.

   SSLCipherSuite="EECDH+AES:EDH+AES:EDH+CAMELLIA:EECDH+3DES:EDH+3DES:RSA+AES:RSA+CAMELLIA:RSA+3DES"

Microsoft Windows and IIS (Internet Information Services)

Microsoft uses the system library schannel.dll for SSL/TLS, so this is also used in IIS. The available protocols and ciphers depend on the operating system version.

Windows Server 2003 does not support TLS 1.1 and TLS 1.2, elliptic curves, and by default does not support AES encryption, but this can be added using the KB948963 hotfix, described in the article An update is available to add support for the TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA AES cipher suites in Windows Server 2003. We also cannot specify the preferred order of ciphers.

Even on Windows Server 2008 R2 (and therefore IIS 7.5), the dangerous SSLv2 protocol is enabled by default. This is the first system that supports TLSv1.1 and TLSv1.2, but these are not enabled. Windows Server 2012 is much better, but we can still improve the settings. The SSL 2 protocol is disabled, and all three TLS versions are allowed. The used encryption algorithms are RC4, 3DES and AES, and the hashes are MD5 and SHA.

Note: When modifying the settings for Windows, we need to be careful and thoroughly test everything. Because the settings affect everything where Windows uses SSL/TLS, including the RDP protocol. These system settings also affect applications like Forefront Threat Management Gateway.

The entire SSL/TLS configuration (i.e., the schannel.dll settings) is done by modifying the registry and is located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL. Microsoft provides official documentation in KB How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll. Some (certainly not ideal) list of supported ciphers is in the document Cipher Suites in Schannel.

Note: The list of ciphers is limited (compared to OpenSSL), so for example DHE-RSA is not supported, only DHE-DSS. If we don't have the given certificate type, the server will not offer this cipher.

We can also define the order of ciphers using Group Policies (GPO). In the Group Policy, it's Computer Configuration/Policies/Administrative Templates/Network/SSL Configuration Settings/SSL Cipher Suite Order, a brief description is in the article Prioritizing Schannel Cipher Suites.

Configuration using PowerShell

We can modify the settings by directly changing the registry or use PowerShell to achieve the same. A nice script with comments was written by Alexander Hass and is available in the article Setup your IIS for SSL Perfect Forward Secrecy and TLS 1.2. I would also block RC4 and MD5 compared to the used settings. Below, I provide a slightly modified script (I recommend checking the original).

PowerShell script to modify the registry. It disables SSL 2.0 and PCT 1.0 (for safety, it's already disabled by default in Windows Server 2003, it's an old MS protocol), enables (sets) TLS 1.0, TLS 1.1, TLS 1.2. It also disables weak ciphers NULL, RC2, RC4, DES and allows 3DES and AES (some values are already set the same by default), disables MD5 and allows SHA, allows DH and PKCS (which includes RSA) KeyExchange algorithms. And finally, it sets the order of ciphers. It needs to be run with administrator privileges. Some configuration changes take effect immediately, others only after restarting the server. I tested the script on Windows Server 2008 R2.

Note: Before modifying the registry, it's a good idea to make a backup. Using regedit or the command reg export HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL backup-schannel.reg

# Disable SSL 2.0, PCT 1.0, enable/set TLS 1.0, TLS 1.1, TLS 1.2
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 -PropertyType 'DWord' –Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server' -name Enabled -value 0 -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value 1 -PropertyType 'DWord' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force

# turning ciphers on and off
$insecureCiphers = 'NULL','RC2 40/128','RC2 56/128','RC2 128/128','RC4 40/128','RC4 56/128','RC4 64/128', 'RC4 128/128','DES 56/56'
Foreach ($insecureCipher in $insecureCiphers) {
  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($insecureCipher)
  $key.SetValue('Enabled', 0, 'DWord')
  $key.close()
}
$secureCiphers = 'Triple DES 168/168','AES 128/128','AES 256/256'
Foreach ($secureCipher in $secureCiphers) {
  $key = (Get-Item HKLM:\).OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey($secureCipher)
  $key.SetValue('Enabled', 0xffffffff, 'DWord')
  $key.close()
}

# turning hash algorithms on and off
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value '0' -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force

# enabling KeyExchange algorithms
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force
md 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -name Enabled -value '0xffffffff' -PropertyType 'DWord' -Force

# setting the cipher order
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA' -PropertyType 'String' -Force

On Windows Server 2003, it is more difficult to run PowerShell, so below is an example of a reg file that can be used to modify the registry. It does not contain unnecessary settings for unsupported TLS 1.1, TLS 1.2, and cipher suites.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

Configuration Using the IIS Crypto Application

We can use a PowerShell script to configure a group of servers. If you are setting up a single server, a small and nice .NET application called IIS Crypto from Nartac Software can be helpful. It supports Windows Server 2003, 2008, 2008 R2, 2012, and 2012 R2. With it, we can configure the allowed protocols, ciphers, hash algorithms, and key exchange algorithms, and we can also build the cipher suite order. Additionally, there are buttons for recommended settings. The only downside is that even on Windows Server 2003, it shows the TLS 1.2 protocol, which is not supported on that platform.

TLS/SSL Renegotiation Vulnerability

The SChannel library is known to have a vulnerability in the SSL 3.0 and TLS 1.0 protocols, CVE-2009-3555 Insecure Client-Initiated Renegotiation, which affects IIS, as well as ISA / TMG. The solution is to configure Renegotiation using the registry. We can enable secure renegotiation (according to RFC 5746) or disable it completely. Microsoft warns that the change may cause some problems (with certain applications during certificate authentication), so it's a good idea to thoroughly test it.

This feature is added to older Windows versions by installing the patch KB980436 and possibly KB977377 (available on Windows Update). From Windows Server 2008 R2 onwards, it is part of the system. The description is in the articles Microsoft Security Advisory 977377, Microsoft Security Bulletin MS10-049 - Critical, and ISA 2006 / TMG 2010: DISABLE CLIENT-INITIATED SSL RENEGOTIATION, PROTECTING AGAINST DOS ATTACKS AND MALICIOUS DATA INJECTION.

The configuration is done in the registry at the path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL, where the required DWORD values are created.

• AllowInsecureRenegoClients - 1 for compatible mode, where the client connects to all servers, 0 for strict mode, where the client uses renegotiation only with servers using a secure method
• AllowInsecureRenegoServers - 1 for compatible mode, where the server allows all clients, 0 for strict mode, where the server requires clients with secure renegotiation
• DisableRenegoOnClient - 1 to disable, client doesn't use renegotiation, 0 or key doesn't exist means enabled
• DisableRenegoOnServer - 1 to disable, server doesn't use renegotiation, 0 or key doesn't exist means enabled

Note: The registry settings do not require a restart, but take effect immediately.

Java Applications and JSSE

Java applications and web servers often use the native SSL/TLS implementation called Java Secure Socket Extensions (JSSE). We've already mentioned this for Tomcat. If we don't have the option to configure SSL on the application/server side, we can configure Java directly and restrict/set the ciphers used. An example of a web server is Jetty, which is used by the expanded XMPP server OpenFire, which also uses the Bouncy Castle library.

The configuration (available starting from Java 7) is done in the java.security file, located in Install_Home\jre\lib\security\ (e.g., /usr/lib/jvm/java-1.7.0/jre/lib/security or c:\Program Files (x86)\Java\jre7\lib\security\java.security). Here, we can specify disabled algorithms for certificates.

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

And most importantly, the disabled ciphers for SSL/TLS.

jdk.tls.disabledAlgorithms=MD2, MD5, RC4, DES, NULL, RSA keySize < 2048

The problem is blocking a particular protocol, such as the SSL 3 protocol. Basic information is available in the article Instructions to disable SSL v3.0 in Oracle JDK and JRE. The often-mentioned parameter -Dhttps.protocols="TLSv1" didn't work for me anywhere (Jetty, OpenFire, Tomcat).

Additional Resources

• SSL/TLS Deployment Best Practices - a document with recommendations for configuring SSL/TLS
• Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001) - description and methods for testing
• Security/Server Side TLS - a variety of information from Mozilla
• Compass SSL/TLS recommendations - a brief summary of configuration recommendations
• SSL/TLS configuration for Apache (mod_ssl) - configuring Apache
• Configuring Apache, Nginx, and OpenSSL for Forward Secrecy - configuring Apache
• SSL/TLS, ciphers, perfect forward secrecy and Tomcat - description of security and Tomcat configuration
• Support for SSL/TLS protocols on Windows - support in Windows
• How to Choose the Right Cipher Suites in Schannel.dll - Microsoft SSL
• Hardening SSL Cipher Strength and SSL Protocol Support on ISA Servers - MS ISA
• Disable Low and Medium Strength Cipher for Java Applications - configuring JSSE
• SSL Cipher Configuration - removing weak ciphers - configuring JSSE