Enforcing SSL 3.0 and removing weak encryption vulnerability over SSL ( IIS 6.0 and ISA )http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspxRunning a Custom Penetration test&#160; on IIS 6.0 server having SSL enabled may show vulnerability reports as a weak encryption on IIS . ISA server 2000 acts as&#160; proxy in front of the IIS server and also has certificate installed on it. The followingenCommunityServer 2007 SP1 (Build: 20510.895)re: Enforcing SSL 3.0 and removing weak encryption vulnerability over SSL ( IIS 6.0 and ISA )http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx#3436561Thu, 01 Oct 2009 23:52:03 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:3436561sathai<p>This help me on the PCI test, Thanks.</p> <img src="http://blogs.iis.net/aggbug.aspx?PostID=3436561" width="1" height="1">re: Enforcing SSL 3.0 and removing weak encryption vulnerability over SSL ( IIS 6.0 and ISA )http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx#2999957Wed, 11 Mar 2009 15:30:10 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:2999957Anonymous<p>Very interesting artilce</p> <p>Im not very familiar in cryptography but I received some questions about a customer, so Im trying to get up to speed...</p> <p>My questions is, in IIS6, if &nbsp;we install a Certificat that is Version3 (SHA-1, RSA1024,..), do we still need to perform Registry &nbsp;changes ?</p> <p>Thks</p> <p>jc</p> <img src="http://blogs.iis.net/aggbug.aspx?PostID=2999957" width="1" height="1">re: Enforcing SSL 3.0 and removing weak encryption vulnerability over SSL ( IIS 6.0 and ISA )http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx#2997903Tue, 10 Mar 2009 23:45:11 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:2997903Anonymous<p>Yes, if you go to <a rel="nofollow" target="_new" href="http://www.serversniff.net">http://www.serversniff.net</a>, you can use their free tool to check the web server:</p> <p><a rel="nofollow" target="_new" href="http://www.serversniff.net">http://www.serversniff.net</a>/content.php?do=ssl</p> <img src="http://blogs.iis.net/aggbug.aspx?PostID=2997903" width="1" height="1">re: Enforcing SSL 3.0 and removing weak encryption vulnerability over SSL ( IIS 6.0 and ISA )http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx#2985942Thu, 05 Mar 2009 21:50:04 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:2985942Anonymous<p>I have made the registry changes as required and rebooted the server.</p> <p>If I then test it using a browser with only SSL 2.0 Enabled, I can still get to the web site (over HTTPS). Based on this test, the registry change had no effect.</p> <p>Is this not a valid method of testing?</p> <p>Is there a tool I can use to verify what level of SSL the server is requiring? </p> <p>Thanks.</p> <img src="http://blogs.iis.net/aggbug.aspx?PostID=2985942" width="1" height="1">https:// proxy server | Digg hot tagshttp://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx#2803435Fri, 12 Dec 2008 06:44:04 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:2803435https:// proxy server | Digg hot tags<p>Pingback from &nbsp;https:// proxy server | Digg hot tags</p> <img src="http://blogs.iis.net/aggbug.aspx?PostID=2803435" width="1" height="1">