Tag Archives: IIS

Removing SSL 2.0, Adding TLS 1.1 and TLS 1.2 in on Windows 2008 (IIS 7.5)

By default, Windows 2008 R2 has some shonky SSL settings – it enables SSL 2.0, which is broken, and it doesn’t enable the best protocols – TLS 1.1 and 1.2. To disable and enable things as we want them, we need to go digging around in the registry.

I’ve compiled these instructions from this article details how to disable SSL 2.0 and this article with broken instructions on how to enable TLS 1.1 and TLS 1.2. As this process requires a server restart I thought this single article might keep downtime low.

IIS SSL capabilities are controlled at the system level, so this should work for other IIS versions as well.

Editing the registry

The keys we need to alter are in: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

There should already by a key (folder) called SSL 2.0, you need to create two new folders called TLS 1.1 and TLS 1.2.

Underneath these protocol keys, you need another set of keys (folders) called Client and Server. These may already exist for SSL 2.0.

Underneath the Server keys, we need to put a DWORD called Enabled and set it to 0 for SSL 2.0 and to 0xffffffff (Use the hexadecimal radio button) for the two TLS items.

Underneath the Client keys, we need to put a DWORD called DisabledByDefault and set it to 0 for TLS and ffffffff for SSL 2.0.

Reset the server and then check the protocols it now allows – everything should be sorted as more secure – check it using this tool.

Tool that sorts it out for you

If you’re happy installing random tools on your server, then you can get IIS Crypto to make the changes for you.

If I’ve got anything wrong, or you think I could be clearer, please drop me a comment below here! Thanks.

Checklist for large file upload issues in IIS7 / .net

I had an issue with large(-ish) file uploads yesterday and thought I should write up the things I needed to change, as it’s one of those things that I have to do from time to time and I invariably forget all of the settings.

This is in .net Integrated Pipeline mode – it’s different for Classic ASP.

The following two settings allow files of up to 200MB (value is in kilobytes) taking up to 10 minutes (value is in seconds). See documentation for this

<system.web>
  <httpRuntime executionTimeout="600" maxRequestLength="204800" />
</system.web>

You will also need to alter this setting (value is in bytes this time – see the documentation). It defaults to about 30Mb.

<system.webServer>
   <security>
    <requestFiltering>
      <requestLimits maxAllowedContentLength="209715200" />
    </requestFiltering>
  </security>
</system.webServer>

My understanding is that these settings are usually kept quite low to avoid DoS attacks, and if you’re admin for a large site you should consider moving your uploads to a different server or at least a different application / application pool.

If there’s anything missing from these settings, or some nuance I’m missing, please let me know in the comments.