Choosing SSL/TLS and Ciphers for IIS
While deploying a new web server in our web farm I noticed that the web server I created was giving me some headaches with SSL. It would sometimes present invalid certificates and if I tried telnet commands the connection on port 443 closed quickly. This indicated a problem but I did not hear of any problems with customers accessing our services. Then an employee who was using a testing application informed me that one of his testing servers disconnects with 500 Internal error messages. I realized this must be because of the new web server as all other testing machines had no problems and somehow this particular one was ending up on the new web server. So I started investigating.
First question was how do I determine what the differences between old and new server were ? So I looked online to see if I can check what SSL/TLS protocols and Ciphers were being offered by our servers. I found some online tools that let you do that for instance ssllabs. But my problem was that there was no way for me to hit each individual web server from the Internet as the hostnames all pointed to a load balancer and the load balancer then decided where the request goes. So I had to find a tool that can be used from inside the network. This was possible using openssl s_client commands but it only showed the current cipher in use and not what the web server was accepting as valid or enabled ciphers. Luckily I found sslscan by Titania and guess what there was already a package for sslscan available on Ubuntu. So after installing this utility I was able to scan my servers with a simple command
#to see all ciphers whether accepted by webserver or not
#to see only the ones that actually work
sslscan --no-failed webserver.domain.com:443
This way I was able to see exactly what was being offered by each of the webservers in the farm. But I found that our webservers also had some RC4 Ciphers enabled which are considered weak. So I really needed some sort of best practice. So again I went hunting for some answers and found a really nice tool that let’s you do exactly what I needed with no fuss.
Actually all the cipher settings are found in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL where you will find settings for Ciphers to use, Hashes and Protocols enabled etc. But going through all was a pain and I wanted to make sure the configuration on all webservers was exactly the same. That’s when I found a nice little tool by Nartac Software called IIS Crypto. The tool has a GUI as well as CMD options and you can simply choose best practices, PCI compliance, FIPS compliance options and it shows you all the settings required for each. Once you are happy with the choice simply click apply and it will make the necessary changes in the registry. It does however, require a reboot. After the reboot all my changes were in place and I was also following the best practices. Good learning.