Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
Re: TMG 2010 SSLv3 not working

Answered Re: TMG 2010 SSLv3 not working

  • Tuesday, December 04, 2012 11:23 AM
     
     
    Sign In to Vote
    0

    Guys - I'm really stuck with this one. Hoping someone has come across the same issue.

    Basically I cannot get TMG 2010 SP2 to recognise SSLv3.

    If I try to access a website via TMG proxy that supports only SSLv3 the connection fails.

    Scans, such as SSLScan show that only TLS is enabled - no support for SSLv3

    Despite modifying the registry as per KB245030, and installing the updates/running the scripts as per KB2545464 and KB982876 it just will not work.

    Many thanks for any much needed help!

     

All Replies

  • Thursday, December 06, 2012 7:28 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Thank you for the post.

    1) I want to force ISA Server to use SSL V3. How do I do this?

    This is not an ISA question. ISA Server consumes the cryptography system from the OS, more precisely from the SCHANNEL security provider. If you want to play with the SSL version, ciphers and hashes use the KB below:

    How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll. Whatever is used by the OS will be respected by ISA.

    http://blogs.technet.com/b/yuridiogenes/archive/2010/04/21/this-is-not-an-isa-question.aspx

    Regards,

    Nick Gu - MSFT


     
  • Thursday, December 06, 2012 10:46 AM
     
     
    Sign In to Vote
    0

    Hi Nick,

    Thanks for the reply.

    I've followed that MS KB already but it makes no difference - either the cryptography system from the OS isn't working correctly or ISA is not respecting it.

    Any further thoughts on how I could prove one or the other?

    Thanks,

    Ben

     
  • Thursday, December 06, 2012 2:54 PM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Thank you for the update.

    You may refer to: http://support.microsoft.com/kb/187498, which talks about how to enable SSL 3.0 side by side with SSL 2.0,, TMG functionality should not be affected if we keep both SSL 2 and SSL 3 enabled. SSL 2 on TMG must not be disabled as there are millions of web servers support it.

    Regards,

    Nick Gu - MSFT

     
  • Friday, December 07, 2012 10:34 AM
     
     
    Sign In to Vote
    0

    Hi Nick,

    Again thanks for the reply.

    I've referred to KB187498 however this does not help me.

    SSLv3 should be enabled by default in a Windows 2008 R2 environment. Even with registry keys to force enable SSLv3 it does not show as a supported protocol when using something such as SSLScan to check the TMG server.

    Our security policy does not allow access to SSLv2 only websites as SSLv2 for years has not been considered secure - hence the reason why we've disabled it - this is however beside the point as the issue here is that SSLv3 cannot be enabled.

    Any other thoughts would be most appreciated.

    Many thanks,

    Ben

     
  • Friday, December 07, 2012 11:27 PM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Nick,

    Again thanks for the reply.

    I've referred to KB187498 however this does not help me.

    SSLv3 should be enabled by default in a Windows 2008 R2 environment. Even with registry keys to force enable SSLv3 it does not show as a supported protocol when using something such as SSLScan to check the TMG server.

    Our security policy does not allow access to SSLv2 only websites as SSLv2 for years has not been considered secure - hence the reason why we've disabled it - this is however beside the point as the issue here is that SSLv3 cannot be enabled.

    Any other thoughts would be most appreciated.

    Many thanks,

    Ben

    This is what I get on a standard build Windows Server 2008 R2 platform running TMG and SSLv2 disabled:

    Do you get something different?

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


     
  • Monday, December 10, 2012 12:10 PM
     
     Answered
    Sign In to Vote
    0

    Hi Jason,

    Thanks for chipping in.

    I finally found the issue - hence why your test shows SSL 3.0 as enabled.

    My group policy settings were enable for 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'

    This was in effect disabling SSLv3 regardless of the settings in the registry!

    I'll mark this as answered!

    Thanks again guys for the comments.

    Ben

    • Marked As Answer by NWFRS Monday, December 10, 2012 12:10 PM
    •  
     
  • Tuesday, December 11, 2012 5:32 PM
    Moderator
     
     
    Sign In to Vote
    0

    Hi Jason,

    Thanks for chipping in.

    I finally found the issue - hence why your test shows SSL 3.0 as enabled.

    My group policy settings were enable for 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'

    This was in effect disabling SSLv3 regardless of the settings in the registry!

    I'll mark this as answered!

    Thanks again guys for the comments.

    Ben


    Ah, that makes sense :)

    Jason Jones | Microsoft MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk