Are you saying that when you set 128 bit enforcement that unsecure connections can be created? Tom From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones Sent: Wednesday, March 21, 2007 7:30 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] ISA Penetration Test - SSL Weak Cipher False Positive Hi All, After seeing a few ISA security or penetration tests a few times recently, a common theme relating to weak SSL ciphers is appearing. The first time this was reported by a customer, I contacted PSS who explained that the issue was due to the fact that the operating system would negotiate SSL at a low cipher strength irrespective of ISA and that ISA would drop all weak cipher traffic if the "use 128 bit encryption" option was enabled on the web listener. E.g. you *can* negotiate a low cipher, but ISA will drop traffic that does not meet 128 bit. The 'SSL digger' tool is an example of how to generate the false positive. PSS provide a KB of how to configure the OS to only allow specific ciphers, but this is pretty full on and includes some hardcore registry changes. Not all customers have been keen to make these changes to pass the tests. Does anyone know if MS plans to create a KB to explain this false positive when using ISA? If not, can someone suggest it is created to provide customers with an explanation. I am managing to convince most customers, but a few have asked for a written response from Microsoft to confirm the issue is indeed a false positive and not a legitimate issue. Any help appreciated... JJ