Removing SSL 2.0, Adding TLS 1.1 and TLS 1.2 in on Windows 2008 (IIS 7.5)

By default, Windows 2008 R2 has some shonky SSL settings – it enables SSL 2.0, which is broken, and it doesn’t enable the best protocols – TLS 1.1 and 1.2. To disable and enable things as we want them, we need to go digging around in the registry.

I’ve compiled these instructions from this article details how to disable SSL 2.0 and this article with broken instructions on how to enable TLS 1.1 and TLS 1.2. As this process requires a server restart I thought this single article might keep downtime low.

IIS SSL capabilities are controlled at the system level, so this should work for other IIS versions as well.

Editing the registry

The keys we need to alter are in: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

There should already by a key (folder) called SSL 2.0, you need to create two new folders called TLS 1.1 and TLS 1.2.

Underneath these protocol keys, you need another set of keys (folders) called Client and Server. These may already exist for SSL 2.0.

Underneath the Server keys, we need to put a DWORD called Enabled and set it to 0 for SSL 2.0 and to 0xffffffff (Use the hexadecimal radio button) for the two TLS items.

Underneath the Client keys, we need to put a DWORD called DisabledByDefault and set it to 0 for TLS and ffffffff for SSL 2.0.

Reset the server and then check the protocols it now allows – everything should be sorted as more secure – check it using this tool.

Tool that sorts it out for you

If you’re happy installing random tools on your server, then you can get IIS Crypto to make the changes for you.

If I’ve got anything wrong, or you think I could be clearer, please drop me a comment below here! Thanks.

Splitting/cutting an m4a file

Every so often I have an audio file that I need to break into sections. With more files coming as .m4a, the various GUI options I’d used before no longer work.

Now I’ve found a method that doesn’t need a GUI – use command line ffmpeg to split these files. The basics I found from a superuser question that was automatically breaking a file into smaller pieces. Taking out the Ruby sections, here’s the useful snippet.


ffmpeg -ss 1:01:42 -i c:\Data\temp\in.m4a -vn -c copy -t 1:00:00 out.m4a

  1. The first time (1:01:42) is the start time of the cut.
  2. -vn means that only the audio stream is copied from the file.
  3. The second time (1:00:00) is the duration of the cut. It can be longer then the length of the whole file.

Note that the cut is made at the nearest point to that time that the stream allows, so it might be a little out.

Clearing DNS caches

When making DNS changes it can often take a while for various DNS caches between yourself and the source to clear. I’ve often found that the last ones to change are the ones in the last few metres – from your router to your browser.

You’ll need to find the one upstream that’s incorrect and fix “backwards” from that – i.e. check your Windows DNS cache first, then work towards the browser.

Browser

According to OpenDNS, all browsers will clear their DNS cache if you use their clear cache functionality, but that’ll take out a lot more than DNS.

Chrome: Visit chrome://net-internals/#dns and press the ‘clear hosts cache’ button. You can also see what IP it’s talking to on this page.

Firefox: Close and re-open browser should do it – otherwise there’s a fiddly method involving about:config. When I’ve tried out the plug-ins I’ll add a suggestion, but if you’ve using one let me know in the comments and I’ll update this.

IE: no independent DNS cache.

Local Windows machine

At command prompt: ipconfig /flushdns

Use ping to see if you’re resolving OK.

Windows Server (if acting as DNS cache)

At command prompt: dnscommand <servername> /clearcache

Checklist for large file upload issues in IIS7 / .net

I had an issue with large(-ish) file uploads yesterday and thought I should write up the things I needed to change, as it’s one of those things that I have to do from time to time and I invariably forget all of the settings.

This is in .net Integrated Pipeline mode – it’s different for Classic ASP.

The following two settings allow files of up to 200MB (value is in kilobytes) taking up to 10 minutes (value is in seconds). See documentation for this

<system.web>
  <httpRuntime executionTimeout="600" maxRequestLength="204800" />
</system.web>

You will also need to alter this setting (value is in bytes this time – see the documentation). It defaults to about 30Mb.

<system.webServer>
   <security>
    <requestFiltering>
      <requestLimits maxAllowedContentLength="209715200" />
    </requestFiltering>
  </security>
</system.webServer>

My understanding is that these settings are usually kept quite low to avoid DoS attacks, and if you’re admin for a large site you should consider moving your uploads to a different server or at least a different application / application pool.

If there’s anything missing from these settings, or some nuance I’m missing, please let me know in the comments.

Visited Oxford Hackspace, first project idea: stand-up desk

Although I’ve been meaning to get down to see the Oxford Hackspace studio for a while, I only managed to go last Wednesday to help out (a tiny, tiny bit) with improving their space. Since then, I’ve been trying to think of a project – something practical that I can try to build. To prove that I’m not yet in the maker headspace, I have on a separate thread been thinking about replacing my home desk with a stand-up desk for better health and the like. Only today did 1 + 1 = 2, and I realised this might be a good first project. Taking a quick look around the web, it doesn’t seem like a particularly complex task although there are a few constraints for what I would like to do:

  • I can’t screw anything into the wall – at least, not the kind of screws that would be needed to make a really secure desk.
  • I’d like to avoid just hacking IKEA pieces together – seems to be a common theme out there, but it increases the cost and, well, I want to try something from scratch.

There are other things that would be nice but I think I ought to keep out of my first project – perhaps I can go for a V2.0 if I actually build this thing: adjustable height, cable gutter, proper monitor mounts and bracket for holding PC. Will post progress on this blog, if I ever make any.

Get rid of black menu bar on HTC One/Desire phones (X/C/S/V, yadda yadda)

Black bar on htc one x

If you have a recent HTC phone then you probably find that there’s often a big black bar across the bottom of your screen, taking up space you spent hard cash on getting.

In a way, HTC were doing the right thing and the apps were supposed to change so that it wasn’t necessary. Other manufacturers kept the menu button, though, and so the apps never got changed.

To fix on One X: Slide down the top menu and get to Settings (in top right). Select Display, gestures & buttons, then Recent apps button, then you can choose to either change that button to be the menu button (“Press for menu, press and hold for recent apps”) or you can hold it down to get to the menu (“Press for recent apps, press and hold for menu”).

By the way, if you want a screenshot on an HTC phone, hold the power button and press Home. It should let you know that it’s worked as well.

Two interesting snippets from New Scientist about smell

A tip for the Cellar:

…when Hendrick Schifferstein from Delft University of Technology and colleagues pumped the smell of orange, seawater or peppermint into a club, the revellers partied harder – they danced more, rated their night as more enjoyable, and even thought the music was better.

And at once surprising and not:

Yaara Yeshun and team at the Weizmann Institute found that the imperceptible smell of women’s tears decreases sexual arousal in men.

8 steps to putting your café on the internet

I see two reasons for a local business, such as a café, to have an internet presence – discovery and engagement.

Discovery is easier and is the “classic” reason – it’s to help new customers discover your existence and while traditionally that might mean a website, these days it’s going to be more about appearance on map sites like Google Maps. Engagement is to build a relationship with customers outside of the café so that they will frequent you more regularly / mention you to other new customers.

0. (Buy a domain name and sort out an e-mail account on that domain)

I’m not of the opinion that you need a website for a local service like a café as a website isn’t going to be best at engagement or for discovery. But if you’re going to get one, then get one first because nearly every other service you will sign up for will give you the opportunity to enter an address and an e-mail and you’ll save loads of time if you’ve got these sorted already. Just add the simplest page with contact details (including address) and opening times and worry about anything flashier later.

1. Get yourself listed on map services

So that people using them on mobile will be able to see you, and be directed to you if they search for “coffee”. Start with Google Maps, then Apple Maps (you’ll need an iPhone), then Bing Maps. This is approximately in ascending order of difficulty as well – Google is dead easy, Bing is cryptic.

2. Consider TripAdvisor listing

The TripAdvisor app has a great functionality for restaurants “near me now”. If food is a strong point of yours, consider getting listed.

3. Get yourself on any vertical/specialist directories.

For example, if you offer free Wi-Fi then look for websites that list Wi-Fi locations and get yourself listed. (A word of warning, it shouldn’t cost more than a few quid to get on these).

Are you suitable for services like Just Eat?

4. Decide how you’re going to engage with customers outside the café

This is quite critical, because it’s not worth doing anything about engagement if you don’t think you’ve got anything to say and you’re not going to bother saying it. It can be a simple notification about the “sandwich of the day”, or you could do internet-only offers (free upgrade to large if you say today’s password), or first person to answer a trivia question in-store gets a free drink. Be creative!

5. Get Twitter and Facebook accounts

You can keep your work down by linking these accounts – and I prefer setting Twitter to post to Facebook because you can use services like Twuffer to set up Tweets to come out at certain times. If you’re going to post more than 3 times a day, it might be worth keeping them separate though as Twitter users expect more traffic than Facebook.

6. Publicise Twitter & Facebook on site

If you’ve got these accounts, the people you need to start following you are those who have been in at least once – not friends and family scattered across the country! Entice customers by hinting at what you may be posting (offers? events? local news? jokes?)

7. Respond to incoming messages through Twitter / Facebook

Finally, if you do get a following, remember to politely respond to anything they say to you.

8. Build a website – keep an eye on mobile functionality

Finally, build a website! Make sure that it’s going to look good on a mobile screen as users coming from the mapping services are likely to be mobile users. Ensure opening times, location and contact number are prominently displayed. If you’re putting a menu up, remember to keep it up to date or label it “sample menu”. If you’re using Twitter you could put your latest tweets up – although it will look worse if you’ve got a Twitter feed and the latest tweet was months ago…