none
How to check if clients still use SSL2, SSL3 prior disabling vulnerable protocols?

    Question

  • Hi folks!

    One of the customers I'm supporting is planing to disable vulnerable SSL2, SSL3 protocols on their domain controllers. The challenge is to make sure that the clients already use TLS and nothing will be impacted. Is there a way to enable some logging, tracing to find if some clients still use SSL2 or SSL3?

    Thank you in advance!


    • Edited by Igor Vyunov Sunday, January 8, 2017 4:20 PM
    Sunday, January 8, 2017 4:20 PM

Answers

  • You can try to enable the logging as described here: https://blogs.msdn.microsoft.com/chiranth/2014/02/18/ssl-troubleshooting-troubleshooting-steps-for-server-side-ssl-problems/

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by Igor Vyunov Monday, January 9, 2017 1:14 PM
    Monday, January 9, 2017 12:36 AM

All replies

  • You can try to enable the logging as described here: https://blogs.msdn.microsoft.com/chiranth/2014/02/18/ssl-troubleshooting-troubleshooting-steps-for-server-side-ssl-problems/

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by Igor Vyunov Monday, January 9, 2017 1:14 PM
    Monday, January 9, 2017 12:36 AM
  • Hi,

    One of the customers I'm supporting is planing to disable vulnerable SSL2, SSL3 protocols on their domain controllers. The challenge is to make sure that the clients already use TLS and nothing will be impacted. Is there a way to enable some logging, tracing to find if some clients still use SSL2 or SSL3?

    >>>To disable vulnerable SSL2 SSL3, you could configure this by group policy with registry. And to check if the clients are not using SSL, clients already use TSL, you just need to make sure that the group policy has been applied by clients.

    Here is an article below about the registry of those protocols for your reference.

    TLS/SSL Settings

    https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 9, 2017 7:42 AM
    Moderator
  • Thank you Ahmed, appreciate your help!

    Enabling SCHANNEL extended logging generates events like this:

    Log Name:      System
    Source:        Schannel
    Date:          1/9/2017 12:37:17 PM
    Event ID:      36880
    Task Category: None
    Level:         Information
    Keywords:      
    User:          SYSTEM
    Computer:      dc1.contoso.com
    Description:
    An SSL server handshake completed successfully. The negotiated cryptographic parameters are as follows.

       Protocol: TLS 1.2
       CipherSuite: 0xC028
       Exchange strength: 256

    Which is sufficient. I'll enable SCHANNEL logging for some time, then will collect the events and parse the data to check if there is anything other than TLS.

    Thanks again!

    Monday, January 9, 2017 1:20 PM
  • Thank you for advice!

    But it would work for windows machines only.

    Monday, January 9, 2017 1:24 PM
  • Try to do it on the domain controllers too. It should reflect the protocols they have negotiated with clients you have.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, January 9, 2017 1:39 PM