MOVEit DMZ uses Microsoft's (FIPS 140-1) SSL libraries when establishing HTTP over SSL and FTP over SSL connections. By default, these libraries allows the negotiated use of three versions of SSL: SSL version 2, SSL version 3 and TLS version 1. (TLS is basically SSL version 4.) Also by default, these libraries allow the client and server to negotiate which symmetric encryption algorithm both sides will use during the SSL session from a list which includes RC4, DES3 and others.
There are three reasons why sites want to change the default behavior.
* (It is unlikely modern clients would use SSL version 2 or PCT version 1, as most clients tend to try establishing SSL connections with TLS, then SSL3 and finally SSL2 as a fallback. However, the risk of using these protocols is still there if a client can be forced to avoid SSL3 or TLS.)
Everything sites need to change the default behavior of the SSL libraries is covered in this document. It is worth noting here, however, that a system REBOOT is REQUIRED after any SSL change before it will take effect.
As per the instructions from Microsoft's Knowledge Base Article #187498 (April 23, 2004), this the proper procedure to disable a particular SSL version.
HKey_Local_Machine\System\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\Protocols\SSL 2.0\ServerNOTE: The valid names for "Protocol" subkeys are "PCT 1.0", "SSL 2.0", "SSL 3.0" and "TLS 1.0"
Microsoft splits the rest of its SSL encryption settings into three different registry subtrees. According to Microsoft's registry settings, the "cipher" is the symmetric encryption algorithm used to transfer data during an SSL session. The "hash" is the one-way encryption algorithm used to provide integrity checks. The "KeyExchangeAlgorithm" is the method used by both client and server to exchange their keys. Also, Microsoft means "SHA-1" when it specifies "SHA" in the registry, not "SHA-0", "SHA-256" or any other SHA variant.
As per the information from Microsoft's Knowledge Base Article #187498 (August 22, 2003), this the proper procedure to disable a particular SSL cipher.
HHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\ciphers\DES 56/56NOTE: The valid names for "SCHANNEL" subkeys are "ciphers", "hashes" and "KeyExchangeAlgorithms"
Also, as per Microsoft's recommendations, it is suggested that ALL "ciphers", "hashes" and "KeyExchangeAlgorithms" keys be DISABLED to achieve alignment with FIPS 140 EXCEPT:
To test SSL changes, first obtain a copy of OpenSSL. You can get OpenSSL.exe from the OpenSSL Project. Consult the following examples which show how to use this client and understand the information it provides.
(You need to type the commands in purple. Look for the results in green.)
Using OpenSSL to verify SSL 3 is running on a remote server
This test was performed against our moveit.stdnet.com support server. It shows that a connection using SSL version 3, using a negotiated symmetric encryption algorithm called "RC4" and a "hash" algorithm called "MD5".
D:\OSOmissions>openssl s_client -connect moveit.stdnet.com:443 -ssl3 Loading 'screen' into random state - done CONNECTED(000002AC) depth=0 /C=US/ST=Wisconsin/L=Madison/O=Standard Networks/OU=MOVEit Site/CN=movei t.stdnet.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Wisconsin/L=Madison/O=Standard Networks/OU=MOVEit Site/CN=movei t.stdnet.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Wisconsin/L=Madison/O=Standard Networks/OU=MOVEit Site/CN=movei t.stdnet.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=Wisconsin/L=Madison/O=Standard Networks/OU=MOVEit Site/CN=moveit.s tdnet.com i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification S ervices Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com --- Server certificate -----BEGIN CERTIFICATE----- MIIC5DCCAk2gAwIBAgIDCeniMA0GCSqGSIb3DQEBBAUAMIHEMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAb BgNVBAoTFFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0 aW9uIFNlcnZpY2VzIERpdmlzaW9uMRkwFwYDVQQDExBUaGF3dGUgU2VydmVyIENB MSYwJAYJKoZIhvcNAQkBFhdzZXJ2ZXItY2VydHNAdGhhd3RlLmNvbTAeFw0wMzAx MTQxOTI0MDlaFw0wNTAyMDcyMjA0MThaMIGBMQswCQYDVQQGEwJVUzESMBAGA1UE CBMJV2lzY29uc2luMRAwDgYDVQQHEwdNYWRpc29uMRowGAYDVQQKExFTdGFuZGFy ZCBOZXR3b3JrczEUMBIGA1UECxMLTU9WRWl0IFNpdGUxGjAYBgNVBAMTEW1vdmVp dC5zdGRuZXQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCncZmY8wgl 6avPENjI3b7CDrIBVVYlBXs8eA+dZGXBQ6NfS2pP3bAG2Mi4atFp49EY4WKwz/CV tyrPeTdyZOxkuIZkiC5wH+iAFJg3J6DwpzkkVPMI4lXxiOnd6cke4ZZupwUPR/4R w/CW2WWClQlELxv2FgOzEkqFPazzpMEWcQIDAQABoyUwIzATBgNVHSUEDDAKBggr BgEFBQcDATAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAK7JtOFt5fW3 fEBc14waYvuzKVTSh+zBuskRSVt3C4uUtxLqMBbswUmx3n29TpHInmNoL+iXZJz2 IZEaGkMwLMXJxB0MwD19mlrK9EhZDAOI9ZUNWnZ+1gWep4SpFODFP7UOSzuU0s1z 34xKpkqtN3nzR5iRkSEZU7nxPyl29CM0 -----END CERTIFICATE----- subject=/C=US/ST=Wisconsin/L=Madison/O=Standard Networks/OU=MOVEit Site/CN=movei t.stdnet.com issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server CA/emailAddress=server-certs@thawte.com --- No client certificate CA names sent --- SSL handshake has read 904 bytes and written 304 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : SSLv3 Cipher : RC4-MD5 Session-ID: F50400000B9D20B4B6D0605AE6BE88573A3A4D7503D861281CF0691B0FDAFC62 Session-ID-ctx: Master-Key: B556889277515F16889D048A003B1C827BF0F7DF01E2EAEEE7BD45F518912B24 F1FE19762809BA770E215C8FFA99C330 Key-Arg : None Start Time: 1075827324 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- (ctrl+c) DONE
Using OpenSSL to verify SSL 3 is NOT running on a remote server
(This test was performed against an internal IIS server after SSL3 was manually disabled.)
D:\OSOmissions>openssl s_client -connect localhost:443 -ssl3 Loading 'screen' into random state - done CONNECTED(000002AC) 1484:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:./ssl/s3 _pkt.c:529:
By default, Microsoft SSL only logs serious SSL connection errors to the event log. However, you can change the level of SSL connection information logged here by making a Windows registry change. First, make sure the following REG_DWORD registry entry exists. (Add it if it does not.)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ SecurityProviders\SCHANNEL\EventLogging
One of the following values should be used in this field.
You will need to restart your computer for this value to take effect. More information can be found on Microsoft's Support site under the "How to enable schannel event logging" topic (#260729)