Re: Disable SSL v2 ciphers on IIS 5.0

[Eoin Miller <eoin.miller () trojanedbinaries com>]

secmail.lists () gmail com wrote:
> All -
>
> I am looking to have a client disable SSL v2 ciphers on IIS 5.0 any idea on how to do it? I checked technet and others 
> and it seems to be a mistery. I reommended the follwing:
> http://support.microsoft.com/kb/187498/en-us
>
> The admin made the registry changes and bounced the server yet the ciphers still report they are available (note I used 
> openssl s_client ... to test)
>
> Thanks
> Don
>
>   
Don,

The ciphers can be used with the SSLv2 and SSLv3 protocols. Even if the 
SSLv2 protocol has been disabled, the same ciphers can be used with an 
SSLv3 connection. This may be a misunderstanding on my part however as 
you appear to be attempting to disable the protocol its self. You could 
ask the client to export the registry keys from the server so you could 
verify the correct entries. I would also inquire about any 
firewalls/proxies/etc in between you and the server you are testing 
against. Perhaps the another device along the route could be handling 
the SSL?

--Eoin

-------------------------------------------------------------------------
Sponsored by: Watchfire

AppScan 6.5 is now available! New features for Web Services Testing, 
Advanced Automated Capabilities for Penetration Testers, PCI Compliance 
Reporting, Token Analysis, Authentication testing, Automated JavaScript 
execution and much more. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=70150000000CYkc
-------------------------------------------------------------------------