Dienstag, 3. September 2013

How To Enable SSL 3.0 Server 2008 /SBS 2008/SBS2011


Server 2008,server 2008 SBS and SBS 2011 do have the functionality for SSL 3.0 however by default it does not understand anything that tries to connect with this protocol. For security reasons if you need to enable SSL 3.0 on your server we can enable it with some additional registry keys. Follow the step by step guide below.



• Using regedit to add the following keys ( right click on protocols -> new -> key -> “SSL 2.0″ then “SSL 3.0″ then “TLS 1.0″ )HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0

• Under each of the keys above you need to create additional keys “Client” and “Server”

Enable ssl 3.0

For SSL 2.0:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

For SSL 3.0:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

For TLS 1.0:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

Then you will have to create DWORD (32bit) value called “Enabled” under each “Client” and “Server” key for “SSL 2.0, SSL 3.0 and TLS 1.0″
DWORD (32bit) Value

Value name = Enabled

Value date = 0

Value date can be set to “1″ – Enabled or “0″ – Disabled

In my scenario the values were “enabled” (set to 1) for SSL 3.0 and TLS 1.0 and “disabled” (set to 0) for SSL 2.0

Here is a disabled value for ssl 2.0

Enable ssl 3.0 server 2008

and here is SSL 3.0 enabled

Enable ssl 3.0 server 2008

• Next step is to add correct Ciphers, to do so you will have to navigate to the following key in the registryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Ciphers

• (right click on “Cliphers” New -> Key)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128 HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168

• That’s all! Now you need to restart your server to apply those changes.

• If you are using TMG 2010 or ISA 2006 to publish the website externally you will need to apply exactly the same settings to registry to it.

Gemalpto Smart Card Reader only appears as "Shared" not "Passthrough"

you can manually enable passthrough mode. The reason why the passthrough mode was disabled was because we were stepping toes with a service...