Win2012R2, IIS 8.5 and logging client crypto settings
All major browsers will disable TLS1.0/1.1 support next spring. And many of them in Q1/2020. SSL Server Test by SSL Labs will start to cap the rating to B if the server offers TLS1.0/1.1
So, it is the last months to start deprecating those settings and verify that all crypto relate configs are in good condition. Really easy to do with Apache and nginx. Not so easy to do with IIS. Well, it is quite easy, if you are really familiar with editing registry (or have enough Google-fu in your backpocket).
I contacted one project manager about this so he could ask from the customer if it's okay that we'll disable TLS 1.0/1.1. *sigh* I just should have disabled it and not to tell anyone, but I usually try to play by the book. ;)
"But based on the data, there will be many percent of users who can't access that site anymore!"
Yes, globally. This is national service, not used by many global users, I suppose. And I really think that situation in Finland is much better than globally, in this respect. If you have a computer with a browser made after 2014 or Android newer than 4.4, you are okay. No idea about Apple products, or how new you should have in this case, but I suppose it's not an issue.
But he still couldn't accept my view. He required data! Yes, good thinking. I also love data. But sometimes you just need to decide even when you don't have that.
Finally I agreed to look the IIS logs, because logs will reveal everything, right?
No. Not this time.
By default IIS won't log crypto related settings, and it's not just one button to enable them. *sigh* Why can't I just play with Linux systems??
Luckily we have Google. I don't understand how anyone could get anything done before we had really working search engines? ;) So, quick search found me these links:
Until I decided just to write them to the box. And it works. Now I have beautiful IIS logs, which I can comb through later and plot how many are using TLS 1.0/1.1.
I just need to parse dozens (or thousands) of megabytes of text files, where lines are ending '400 6610 8004 ae06', which really means: TLS1.2 AES_256 SHA1 ECDH_EPHEM. Simple, right?
So, it is the last months to start deprecating those settings and verify that all crypto relate configs are in good condition. Really easy to do with Apache and nginx. Not so easy to do with IIS. Well, it is quite easy, if you are really familiar with editing registry (or have enough Google-fu in your backpocket).
I contacted one project manager about this so he could ask from the customer if it's okay that we'll disable TLS 1.0/1.1. *sigh* I just should have disabled it and not to tell anyone, but I usually try to play by the book. ;)
"But based on the data, there will be many percent of users who can't access that site anymore!"
Yes, globally. This is national service, not used by many global users, I suppose. And I really think that situation in Finland is much better than globally, in this respect. If you have a computer with a browser made after 2014 or Android newer than 4.4, you are okay. No idea about Apple products, or how new you should have in this case, but I suppose it's not an issue.
But he still couldn't accept my view. He required data! Yes, good thinking. I also love data. But sometimes you just need to decide even when you don't have that.
Finally I agreed to look the IIS logs, because logs will reveal everything, right?
No. Not this time.
By default IIS won't log crypto related settings, and it's not just one button to enable them. *sigh* Why can't I just play with Linux systems??
Luckily we have Google. I don't understand how anyone could get anything done before we had really working search engines? ;) So, quick search found me these links:
- https://www.microsoft.com/security/blog/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/
- https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/logfile/customfields/
Until I decided just to write them to the box. And it works. Now I have beautiful IIS logs, which I can comb through later and plot how many are using TLS 1.0/1.1.
I just need to parse dozens (or thousands) of megabytes of text files, where lines are ending '400 6610 8004 ae06', which really means: TLS1.2 AES_256 SHA1 ECDH_EPHEM. Simple, right?
- https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-secpkgcontext_connectioninfo?redirectedfrom=MSDN
- https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id?redirectedfrom=MSDN
Comments
Post a Comment