Disable the SSL v3 Protocol on IIS
Disable the SSL v3 Protocol on IIS and Apache
Disable the SSL v3 Protocol on IIS
  1. Open the Registry Editor and run it as administrator.For example, in Windows 2012:
    1. On the Start screen type regedit.exe.
    2. Right-click on regedit.exe and click Run as administrator.
  2. In the Registry Editor window, go to:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
    iis-disable-ssl-v3-1
  3. In the navigation tree, right-click on Protocols, and in the pop-up menu, click New > Key.
    iis-disable-ssl-v3-2
  4. Name the key, SSL 3.0.
  5. In the navigation tree, right-click on the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key.
    iis-disable-ssl-v3-3
  6. Name the key, Client.
  7. In the navigation tree, right-click on the new SSL 3.0 key again, and in the pop-up menu, click New > Key.
    iis-disable-ssl-v3-3.5
  8. Name the key, Server.
  9. In the navigation tree, under SSL 3.0, right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value.
    iis-disable-ssl-v3-4
  10. Name the value DisabledByDefault.
  11. In the navigation tree, under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value.
    iis-disable-ssl-v3-5
  12. In the Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1 and then, click OK.
  13. In the navigation tree, under SSL 3.0, right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value.
    iis-disable-ssl-v3-6
  14. Name the value Enabled.
  15. In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value.
    iis-disable-ssl-v3-7
  16. In the Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0 and then, click OK.
  17. Restart your Windows server.You have successfully disabled the SSL v3 protocol.
Disable the SSL v3 Protocol on Apache

In this section, I will show you a little more than disabling only SSLv3. The following steps will allow you to :

  • disable SSLv3 and SSLv2
  • disable SSL Compression
  • disable RC4 Cipher

Edit your vhost and add the following lines :

SSLEngine on
SSLCompression off
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

and… that’s all ! Just reload your apache and it is done :

service apache2 reload
Test your SSL Server

To test your SSL server you go here

Yes I'm proud :)
Yes I’m proud 🙂

References

IIS configuration

Apache configuration

Test your SSL server

<>

My Powershell script categories

Disable the SSL v3 Protocol on IIS and Apache

Leave a Reply

Your email address will not be published.