Vô hiệu hóa SSL 2.0 và kích hoạt TLS 1.0, SSL 3.0 trên Windows 2003
Mặc định Windows Server 2003 sẽ ưu tiên SSL 2.0. Tuy nhiên, phiên bản SSL 2.0 đã bị lỗi thời, chứa rất nhiều rủi ro và lỗi bảo mật, đặc biệt là lỗi "man-in-the-middle". Tham khảo các bước sau đây để vô hiệu hoá SSL 2.0 và PCT 1.0, sau đó kích hoạt TLS 1.0 và SSL 3.0:
To disable SSL 2.0:
1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
2. In Registry Editor, locate the following registry key:
HKey_Local_Machine:System:CurrentControlSet:Control:SecurityProviders:SCHANNEL:Protocols:SSL 2.0:Server
3. On the Edit menu, click Add Value.
4. In the Data Type list, click DWORD.
5. In the Value Name box, type Enabled, and then click OK.
*Note* If this value is present, double-click the value to edit its current value
6. Type 00000000 in Binary Editor to set the value of the new key equal to "0″.
7. Click OK. Restart the computer.
You may find that you also need to disable PCT 1.0 as well, but by default this not installed in Windows.
1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
2. In Registry Editor, locate the following registry key: HKey_Local_Machine:System:CurrentControlSet:Control:SecurityProviders: SCHANNEL:Protocols:PCT 1.0:Server
3. On the Edit menu, click Add Value.
4. In the Data Type list, click DWORD.
5. In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.
6. Type 00000000 in Binary Editor to set the value of the new key equal to "0″.
7. Click OK. Restart the computer.
Sau đó tại đây, nếu chưa tìm thấy 2 mục "SSL 3.0" và "TLS 1.0" thì bạn phải tạo ra, sau đó thêm vào các giá trị "1" tương ứng để kích hoạt.
Tham khảo sự khác nhau giữa SSL 2.0 và SSL 3.0:
Security improvements:
1. SSL 2.0 is vulnerable to a "man-in-the-middle" attack. An
active attacker can invisibly edit the list of ciphersuite
preferences in the hello messages to invisibly force both client and
server to use 40-bit encryption. SSL 3.0 defends against this
attack by having the last handshake message include a hash of all
the previous handshake messages.
2. SSL 2.0 uses a weak MAC construction, although post-encryption
seems to stop attacks. This is fixed in 3.0.
3. SSL 2.0 feeds padding bytes into the MAC in block cipher modes,
but leaves the padding-length field unauthenticated, which could
allow active attackers to delete bytes from the end of messages.
This, too, is fixed in 3.0.
4. In SSL 3.0, the Message Authentication Hash uses a full 128 bits
of keying material, even when using an Export cipher. In SSL 2.0,
Message Authentication used only 40 bits when using an Export
cipher.
Functionality improvements:
1. In SSL 2.0, the client can only initiate a handshake at the
beginning of the connection. In 3.0, the client can initiate a
handshake routine, even in the middle of an open session. A server
can request that the client start a new handshake. Thus, the
parties can change the algorithms and keys used whenever they want.
2. SSL 3.0 allows the server and client to send chains of
certificates. This allows organizations to use a certificate
hierarchy that is more than two certifications deep.
3. SSL 3.0 has a generalized key exchange protocol. It allows
Diffie-Hellman and Fortezza key exchanges and non-RSA certificates.
4. SSL 3.0 allows for record compression and decompression.
Backward compatibility:
1. SSL 3.0 can recognize an SSL 2.0 client hello and fall back to
SSL 2.0. An SSL 3.0 client can also generate an SSL 2.0 client
hello with the version set to SSL 3.0, so SSL 3.0 servers will
continue the handshake in SSL 3.0, and SSL 2.0 server will cause the
client to fall back to SSL 2.0.
Other:
1. SSL 3.0 separates the transport of data from the message layer.
In 2.0, each packet contained only one handshake message. In 3.0, a
record may contain part of a message, a whole message, or several
messages. This requires different logic to process packets into
handshake messages. Therefore, the formatting of the packets had to
be completely changed.
2. Cipher specifications, handshake messages, and other constants
are different.
Bạn có thể tham khảo chi tiết hơn tại đây: http://support.microsoft.com/kb/187498 (Lưu ý chỉ nên kích hoạt TLS 1.0 và SSL 3.0)
Nguồn: http://stason.org/TULARC/security/ssl-talk/4-11-What-is-the-difference-between-SSL-2-0-and-3-0.html
http://www.keithdmitchell.com/2008/08/29/how-to-enabled-ssl-30-for-windows-2003/
