Are you in Miami, San Diego or Bermudas? No problem Regards Diego R. Pietruszka From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Wednesday, November 03, 2010 2:52 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SSL 2.0 vs SSL 3.0 Thanks, I'll give it a shot tomorrow. If it all breaks down, you'll come here to fix it for me, right? :) Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR Sent: Wednesday, November 03, 2010 2:29 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SSL 2.0 vs SSL 3.0 You can create the Key's for SSL 3.0 and another one under it with client on it. Then simple follow the instructions on the document, I'm not sure if a reboot is need it for the computer or at least IIS. Regards Diego R. Pietruszka From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Wednesday, November 03, 2010 1:47 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SSL 2.0 vs SSL 3.0 Thanks. I took a look at that article. When I look in the registry of our TS gateway at the key HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\ the ONLY key there is SSL 2.0. There is no SSL 3.0 key. Should that concern me? If I run the fixer application it says it will disable SSL 2.0-I guess by putting in a new DWORD and setting it to 0. (Or does it remove the whole SSL 2.0 key?) The article doesn't give instructions for manually stopping support for SSL 2.0. So I'm concerned that if I disable 2.0, there will be neither 2.0 nor 3.0. Is that a valid concern? Thanks, Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR Sent: Wednesday, November 03, 2010 11:47 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: SSL 2.0 vs SSL 3.0 SSL 3.0 is most likely already enabled, what you have to do is disable 2.0 so the first one is the only one accepting the connections. That needs to be changed from the registry on your gateway server, it has nothing to do with TMG or ISA, so go to your gateway server and check the below link which will guide you on the right direction. http://support.microsoft.com/kb/187498 Regards Diego R. Pietruszka From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Wednesday, November 03, 2010 11:01 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] SSL 2.0 vs SSL 3.0 This may be a stupid question, or maybe not. I am ignorant on this topic. Our Development office is looking to do some processing of credit card info on our network. So a third party ran a scan on the public side of our network. One of the things they found was that a couple of our public facing addresses are using SSL 2.0. They want us to discontinue that and use SSL 3.0. The address in question is our Terminal Services Gateway, and it's being presented to the outside world via TMG. It only accepts HTTPS traffic. We're using a commercial SSL cert. I have no idea how to change from SSL 2.0 to 3.0, nor what the ramifications might be if I did make the switch. Any insights? (They found some other vulnerabilities as well, on a separate address. But I want to start with just this one question so as not to muddy the waters. I may follow up with another question or two.) Thanks, Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Helpdesk: 800-500-AFSC