question

Igor M. avatar image
Igor M. asked ·

How to disable Diffie–Hellman algorithm in MS ISS

Hello!

Does anyone have ready note about actions to disable Diffie–Hellman key exchange algorithm in MS ISS v10 ?

Currently it speaks:

The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with X25519 (a strong key exchange), and AES_256_GCM (a strong cipher).

We are thinking to lower key exchange (handshake) protocol to one supported by RUM/NAM for our cust internal app. Diffie–Hellman key exchange algorithm does not send session excruption key over the net and RUM/NAM unable to understend TSL encrupted operations.

Regards,

Iger

nam servernamnam probe
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Igor M. avatar image
Igor M. answered ·

Frans, after reading all suggested links carefuly it became much more clear. Hopefuly i had basis pki and asymmetric encryption understanding before. I suggest all touched NAM HTTPS/TLS topic read these links! Exellent set but requires some background.

We managed to get read off NS_ERROR_NET_INADEQUATE_SECURITY Chrome error !

So working combination is HTTP v1.1 + TLS v1.2 with all *DH* disabled

Browser reports The connection to this site uses TLS 1.2 (a strong protocol), RSA (an obsolete key exchange), and AES_256_GCM (a strong cipher).

Our app seams to accept HTTP v1.1 an from first glance it works well using this combination. We are in complex testing process.

HTTP v1.1 + TLS v1.2 with all *DH* disabled (TLS 1.2 RSA AES_256_GCM) looks reasonable tradeoff for us, so far we not dealing with state, bank, personal data.

We used following comands to downgrade from HTTP/2 to HTTP v1.1:

Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters -Name EnableHttp2Tls -Value 0 -Type DWordSet-ItemProperty -Path HKLM:\System\CurrentControl

Set\Services\HTTP\Parameters -Name EnableHttp2Cleartext -Value 0 -Type DWord

Now we will set up NAM AMD. It will take some time and i will let know results here.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Frans S. avatar image
Frans S. answered ·
Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Igor M. avatar image
Igor M. answered ·

Cool staff ! Many thaks!

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Igor M. avatar image
Igor M. answered ·

We have got:

Your connection is not secure The website tried to negotiate an inadequate level of security. 10.101.2.90 uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site. Error code: NS_ERROR_NET_INADEQUATE_SECURITY

... and currently thinking if we are on the right way ...

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Frans S. avatar image
Frans S. answered ·

I think first you should look at the order of cipher suites that are enabled, and disable weak Cipher Suites. Example of an ordered list, supported by DCRUM:

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA

Another option is to switch of HTTP/2 and revert back to HTTP/1.1, but I'm not thrilled by that option.
You can read more about this, your error, and possible solutions here:

https://www.tecklyfe.com/how-to-fix-ns_error_net_inadequate_security-and-err_spdy_inadequate_transport_security-in-iis-on-windows-server-2016/

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Frans S. avatar image
Frans S. answered ·

Note that everybody should be aware of the TLS 1.3 ghost however. Once TLS 1.3 becomes the standard in client-server communication, any monitoring solution like AMD's will no longer be able to decode HTTPS/SSL traffic, without additional changes/hardware in the infrastructure. Bottom lime will be, you will have to measure from a (man-in-the-middle) point in the traffic path where the traffic is not SSL encoded.

More on that in this Ixia article:

https://www.ixiacom.com/company/blog/implications-tls-13-security-monitoring

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Igor M. avatar image
Igor M. answered ·

Browser F12 security tab says:

The connection to this site uses TLS 1.2 (a strong protocol), RSA (an obsolete key exchange), and AES_256_GCM (a strong cipher).

Does any one knows any Chrome chrome:// parameter to let it work? I am googling but not yet found any :-(

AES_256_GCM looks like AMD supported, according to

https://answers.dynatrace.com/questions/145444/dea...


I understand that TLS 1.3 will use DH based algorythms only.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Frans S. avatar image
Frans S. answered ·

Igor, what is set currently in the browser? You may want to disable TLS1.0, and enable 1.2.

See how to do this per browser here:

https://support.engagingnetworks.net/manually-enab...

https://knowledge.digicert.com/generalinformation/...


Did you use the Best Practices button in IIS Crypto? Someone posted on

https://stackoverflow.com/questions/31746620/iis-1...

that he "came across solution posted here and used IIS Crypto and selected Cipher Suites option and clicked Best Practices button" to solve his problem.


Maybe you also have to look at Disabling HTTP/2 / SPDY in HTTP.SYS and IIS in Windows 10

According to another post on https://stackoverflow.com/questions/31746620/iis-... :
"According to the error message this is a SPDY issue, so the certificate and the cipher suites are not the cause.

SPDY is a protocol allowing multiplexing HTTPS requests but it will be replaced by HTTP/2. As a temporary fix, you can apparently disable its support in you browser/registry/server."



More related to your issue I found here:

https://serverfault.com/questions/712808/chrome-re...

https://security.stackexchange.com/questions/83831...

SSL and TLS Deployment Best Practices:

https://github.com/ssllabs/research/wiki/SSL-and-T...

Some more:

https://www.acunetix.com/blog/articles/tls-ssl-cip...

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

Frans S. avatar image
Frans S. answered ·

Check this out:

How to Fix NS_ERROR_NET_INADEQUATE_SECURITY and ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in IIS on Windows Server 2016

https://www.tecklyfe.com/how-to-fix-ns_error_net_i...

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.

IGOR M. avatar image
IGOR M. answered ·

Frans, many thanks! I need to study these links carefuly.

Share
10 |2000000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 50.0 MiB each and 250.0 MiB total.