IIS / SMTP - Desativar SSLv2 [duplicado]

1

Estou tentando desativar o SSL2 em nosso servidor IIS / SMTP. Estamos usando um Windows Server 2008 R2 Enterprise (64 bits). Nós usamos o Gerenciador do IIS6 para gerenciar os servidores virtuais SMTP. Eu tentei vários métodos, mas não obtive sucesso em todos. Eu reiniciei totalmente após cada alteração também.

Estou testando a partir de outro servidor com o seguinte comando, mas ainda mostro como conectado via SSL2:

$ openssl s_client -debug -connect servername:25 -ssl2

CONNECTED(00000003)

write to 0x600078840 [0x600181951] (45 bytes => 45 (0x2D))

0000 - 80 2b 01 00 02 00 12 00-00 00 10 03 00 80 01 00   .+..............

0010 - 80 07 00 c0 06 00 40 04-00 80 02 00 80 ba 66 21   [email protected]!

0020 - fe 2d 4c 49 44 b9 23 e5-f9 10 a5 21 7f            .-LID.#....!.

read from 0x600078840 [0x600070790] (2 bytes => 2 (0x2))

0000 - 32 32                                             22

read from 0x600078840 [0x600070792] (12851 bytes => 123 (0x7B))

0000 - 30 20 6d 61 69 6c 2e 65-67 32 2e 66 69 65 6c 64   0 mail.ourdomain

0010 - 67 6c 61 73 73 2e 6e 65-74 20 4d 69 63 72 6f 73   name.net Micros

0020 - 6f 66 74 20 45 53 4d 54-50 20 4d 41 49 4c 20 53   oft ESMTP MAIL S

0030 - 65 72 76 69 63 65 2c 20-56 65 72 73 69 6f 6e 3a   ervice, Version:

0040 - 20 37 2e 35 2e 37 36 30-31 2e 31 37 35 31 34 20    7.5.7601.17514

0050 - 72 65 61 64 79 20 61 74-20 20 57 65 64 2c 20 38   ready at  Wed, 8

0060 - 20 4a 75 6c 20 32 30 31-35 20 31 34 3a 32 36 3a    Jul 2015 14:26:

0070 - 31 35 20 2b 30 30 30 30-20 0d 0a                  15 +0000 ..

Comecei com a recomendação da Microsoft: link

Em vez de PCT 1.0, usei o SSL 2.0:

Para desabilitar o protocolo PCT 1.0 para que o IIS não tente negociar usando o protocolo PCT 1.0, siga estas etapas:

Clique em Iniciar, clique em Executar, digite regedt32 ou digite regedit e clique em OK. No Editor do Registro, localize a seguinte chave do Registro: HKey_Local_Machine \ System \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocolos \ PCT 1.0 \ Servidor

No menu Editar, clique em Adicionar valor. Na lista Tipo de dados, clique em DWORD. Na caixa Nome do valor, digite Ativado e, em seguida, clique em OK.

Nota Se este valor estiver presente, clique duas vezes no valor para editar seu valor atual. Digite 00000000 no Editor Binário para definir o valor da nova chave igual a "0". Clique OK. Reinicie o computador.

Eu também testei este método: link

Eu até tentei usar o IIS Crypto e ainda mostrar como se conectar via SSL2.

    
por cas32 08.07.2015 / 16:57

1 resposta

0

Aqui está um extrato de um script powershell que escrevi há alguns meses para fazer um monte de coisas relacionadas a suporte a protocolos e cifras. Eu escrevi especificamente para o Server 2008 R2.

# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"

Isso cria e define uma chave de registro que deve significar que o servidor não suportará mais o SSL 2.0 para conexões de entrada. Você pode executar isso no servidor em questão para desativar o SSL 2.0.

Aqui está o script completo, se você estiver interessado. Por favor, verifique o quão relevante é para o seu cenário antes de usá-lo, uma vez que cai clientes de suporte com sistemas operacionais e navegadores mais antigos. Além disso, essas configurações foram adaptadas para um servidor da Web.

# Enables TLS 1.1 & 1.2 and disbles SSL 2.0 and SSL 3.0 (both as client and server) on Windows Server 2008 R2 and Windows 7. Aditionally it reorders a few cipher suites to prefer stronger ciphers and disables RC4 ciphers.

# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"

# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Enable TLS 1.1 for client and server SCHANNEL communications
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

# Enable TLS 1.2 for client and server SCHANNEL communications
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"

# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"

# Disable SSL 3.0 (POODLE)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" -name Enabled -value 0 -PropertyType "DWord"

# Set preferred cipher suites
new-itemproperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
# Disable SSL 2.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"
010002" -name Functions -value "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" -PropertyType "String" # These keys do not exist so they need to be created prior to setting values. md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56" md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" # Disable RC4 ciphers new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" -name "Enabled" -value 0 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" -name "Enabled" -value 0 -PropertyType "DWord" new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" -name "Enabled" -value 0 -PropertyType "DWord"
    
por 08.07.2015 / 22:03

Tags