I’ll admit, I find the configuration of SSL and TLS something of a mystery – I like to leave that stuff to the admin guys and get on with the coding. It’s something of a black art, and there seem to be so many obscurely named vulnerabilities that it’s a bit difficult to handle without being a specialist. (Heartbleed? Bar Mitzvah? Lucky 13? Poodle? I mean, seriously, POODLE?)
However, I was recently given a PowerShell script and told to ‘fix these servers’ – and it was very easy.
The script I used came from http://www.hass.de – Setup your IIS for SSL Perfect Forward Secrecy and TLS 1.2 . There are two scripts attached to the bottom of that page.
- v1.4 – Doesn’t support RC4
- v1.3 – Does support RC4
Why would you want to support the RC4 cipher when it’s known to be weak? Well, unfortunately, it’s the best of a bad bunch for supporting Internet Explorer 8 running on Windows XP (yes, some people still use that).
I chose v1.3, and ran the PowerShell, rebooted and… it worked. Checking with the online SSL checkers from HT Bridge and SSLLabs got A- and B respectively. This is considerably better than the F grade before we ran it.
Thank you Alexander Hass, you just made my day much easier.