Problems Disabling SSL v2

Our organization is in the process of coming into PCI compliance. If you've had to do this, then you know that you need to disable SSL v2. We have three servers running IIS which are outward facing. All three are running Windows Serer 2008 R2. Two are general
Web servers, the third is also running Exchange Server 2010 with OWA. The two Web servers are compliant, and a portion of the SSLLABS.COM test shows:
Protocols
TLS 1.2
Yes
TLS 1.1
Yes
TLS 1.0
Yes
SSL 3
Yes
SSL 2
No
however, even though I ensure that the registry settings are the same on the Exchange server as on the Web servers, I get this as a result:
Protocols
TLS 1.2
No
TLS 1.1
No
TLS 1.0
Yes
SSL 3
Yes
SSL 2 INSECURE
Yes
Yes, every time I've made a change, I've run gpupdate /force then rebooted. The registry settings are not reverting; I look after the reboot and they're what I expect. The following is what is in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
Any help is appreciated.
Jake

I have used the Nartac tool, clicked the PCI button, and rebooted the server. This did not work. Also, per MS KB article 187498 "How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services" (http://support.microsoft.com/kb/187498/en-us)
the example given is for PCT 1.0 but is implied for any of the protocols I believe:
To disable the PCT 1.0 protocol so that IIS does not try to negotiate using the PCT 1.0 protocol, follow these steps:
Click Start, click Run, type regedt32 or type
regedit, and then click OK.
In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders   \SCHANNEL\Protocols\PCT 1.0\Server
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click
OK.
Note If this value is present, double-click the value to   edit its current value.
Type 00000000 in Binary Editor to set the value of the new key equal to   "0".
Click OK. Restart the computer.
So to recap, set Enabled to 0 is not enabled, and set Enable to 1 is enabled. Or am I reading this completely wrong?

Similar Messages

Apple Mail 8.2 disables SSL to POP3 server (Securityrisk)

Hi,
Setup
Computer:
OSX 10.10.2
Mail 8.2 (2070.6)
Mail server A
POP3 port 995 SSL
(Non SSL - port 110 - is disabled due to security reasons)
Mail server B
POP3 port 110
POP3 port 995 SSL
Summary
OSX Mail client removes SSL support on non regular intervals for POP3 connections. For the connections that support regular non SSL POP3 (port 110) this reduces the security, but the mail is available. This was noticed by me because one ISP has locked down their POP3 server to SSL only due to security reasons. After reenabling SSL on the connection (Mail -> Preferences -> Accounts -> Account in question -> Advanced) the connection remains with SSL support for a while, then it is removed again. As OS X Mail has no token to identify SSL or regular port 110 connection this is transparant to the user, unless the server does not support regular POP3, at which time a error is generated.
Comments
1) This seems to be a security related issue with mail where OS X mail downgrades from SSL connection to regular port 110 POP3 traffic
2) If corrected the connection is downgraded again within a couple of days, if not sooner.
3) Connections to POP3 servers supporting port 110 are "unaffected" with the exception of the security issue of a downgrade
4) Connections to POP3 servers that only support SSL - port 995 - are not able to complete until SSL has been reenabled manualy.
5) Downgrade bug has been seen only on my machine, so it might not be something mainstream. Machine is updated to latest patches.
Questions
1) As this has only been observed on my machine, has anybody else seen this POP3 SSL downgrade bug?

Same problem. The following information is from Symantec:
To disable SSL\TLS
Open Apple Mail.
Click the Mail menu and select Preferences.
Select your mail account on the left under Accounts, then click the Advanced tab.
Confirm the check box labeled "use SSL" is not checked next to ports. If necessary remove the checkmark.
Click the Account Information tab and select Edit Server list from the drop down next to Outgoing Mail Server.
Click the Advanced tab and confirm there is not a checkmark next to Use Secure Socket Layer(SSL).
Click OK and close the accounts. Window and choose to save.
Click Save to update your settings.
Restart Apple Mail.
This does work for a while but eventually Mail reverts to enabling Use SSL and disabling Allow Insecure Authentication but only one some of my addresses but not all. Some accounts POP logs-in but not SMTP.

Disabling SSL open domain server. How?

Hi all,
Can anybody elicidate to me how I can disable the SLL on a Open Domain OSX server?
In
http://support.apple.com/kb/HT5300
it is explained that you have to disable SSL prior to updating OSX from Mountain Lion with OSX server 2.2 to OSX MAvericks with server 3.
Any help is highly appreciated. Thanks already

Hi UptimeJeff,
Thanks for the reply.
I have rolled back three times from Mavericks to Mountain Lion server and will now stay there for some month until the quirks are ironed out. Mavericks OSX server is just to cumbersome right now.
So no email log to check at the moment.
But the email archives were not too big and the server had a full good night to do that.
The problem was strictly that server 3 app does not open after download and install and therefore does not let me finish configuration of the server.
Thanks anyway.

Problem with SSL Activated on SSO Login

Hi Guys,
One of my applications has recently hit a few problems when SSL was activated on several environments. My application requires you to login using a SSO username and password before you can use the application. Before SSL was implemented, when you pressed the main menu button the page would redirect to the login server and the SSO login would remember your details and log you in again and then take you to the 1st page with a new session id. However, with SSL implemented, when the main menu button is pressed it redirects you to the login server but this time it asks you to enter your username and password. This is a problem as every time authentication is required on my application, it will keep telling you to login even if you have already done so before.
For extra information, the main menu button (which is a navigation bar entry) redirects you to a piece of javascript which is used to take you back to the 1st page depending on what page you are on.
I am also using the latest version of APEX.
Any help is much appreciated as I am not sure where to go with this problem.
Also is it a problem with the SSL setup or my application?
Thanks
-Mark

I have tried to pass the cookie through the URL to the login server but this does nothing.I can't imagine what you mean by that or what exactly you did.
it just takes me to the login page and resets the session id after i have logged in again!What do you mean by "reset"?
How can I make cookies be accepted by SSL?Have you constructed an experiment to prove that this is the problem?
Is there something i can put in the application itself?Definitely not.
Scott

Problem establishing SSL VPN from only 1 IP address

Hi,
I'm experiencing strange problem.
I can't establish SSL VPN connection from 1 IP address, but I don't have problem establishing SSL VPN from any other IP address.
Remote IP address: 10.0.0.1
ASA's public IP address: 192.168.1.1
Output of packet-tracer:
1. with problematic source IP address:
packet-tracer input wan tcp 10.0.0.1 50601 192.168.1.1 443 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.1   255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff37573f00, priority=119, domain=permit, deny=false
        hits=861, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
        input_ifc=wan, output_ifc=identity
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
        hits=4069, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
        input_ifc=wan, output_ifc=identity
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
        hits=4044934, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=wan, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=2268518, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=wan, output_ifc=any
Phase: 6
Type: TCP-MODULE
Subtype: webvpn
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
        hits=4627, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
        input_ifc=wan, output_ifc=identity
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff375504a0, priority=69, domain=encrypt, deny=false
        hits=40747, user_data=0x0, cs_id=0x7fff3754fa40, reverse, flags=0x0, protocol=0
        src ip/id=192.168.1.1, mask=255.255.255.255, port=0
        dst ip/id=10.0.0.1, mask=255.255.255.255, port=0, dscp=0x0
        input_ifc=any, output_ifc=wan
Result:
input-interface: wan
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
If I run packet-tracer with any other source IP address, let's say 10.0.0.2, everything is OK:
packet-tracer input wan tcp 10.0.0.2 50601 192.168.1.1 443 de
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.1   255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff37573f00, priority=119, domain=permit, deny=false
        hits=862, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=443, dscp=0x0
        input_ifc=wan, output_ifc=identity
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff38a10a50, priority=8, domain=conn-set, deny=false
        hits=4090, user_data=0x7fff38770910, cs_id=0x0, reverse, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
        input_ifc=wan, output_ifc=identity
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff395c7d70, priority=0, domain=inspect-ip-options, deny=true
        hits=4047886, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=wan, output_ifc=any
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff37560700, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=2270040, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=wan, output_ifc=any
Phase: 6
Type: TCP-MODULE
Subtype: webvpn
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff38a10cc0, priority=13, domain=soft-np-tcp-module, deny=false
        hits=4648, user_data=0x7fff38c14300, cs_id=0x0, reverse, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=192.168.1.1, mask=255.255.255.255, port=443, dscp=0x0
        input_ifc=wan, output_ifc=identity
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7fff3a1cc320, priority=0, domain=user-statistics, deny=false
        hits=4902651, user_data=0x7fff3a0043c0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=any, output_ifc=wan
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 4384689, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_tcp_mod
snp_fp_adjacency
snp_fp_fragment
snp_fp_drop
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: wan
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow
I run packet capture on WAN interface - and I can only see incoming packets (SYN) with destination to tcp/443 but there isn't any outgoing packet (SYN/ACK).
I even can't open web page from internet browser (url https://192.168.1.1) when source IP is 10.0.0.1, but I can open "SSL VPN Service" web page from any other source IP address.
The only thing different with this IP address is that there's configured site-to-site (IPsec) vpn tunnel from same source to same destination IP address.
Here is the configuration of the tunnel:
group-policy GroupPolicy_10.0.0.1 internal
group-policy GroupPolicy_10.0.0.1 attributes
vpn-filter value VPN-ACL
vpn-tunnel-protocol ikev1 ssl-client
access-list VPN-ACL:
access-list VPN-ACL extended permit ip object-group DM_INLINE_NETWORK_83 object-group DM_INLINE_NETWORK_84
object-group network DM_INLINE_NETWORK_83
network-object 10.11.217.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
object-group network DM_INLINE_NETWORK_84
network-object 10.11.217.0 255.255.255.0
network-object 192.168.201.0 255.255.255.0
tunnel local & remote networks:
access-list wan_cryptomap_5 extended permit ip 10.11.217.0 255.255.255.0 192.168.201.0 255.255.255.0
crypto map wan_map 5 match address wan_cryptomap_5
crypto map wan_map 5 set connection-type answer-only
crypto map wan_map 5 set peer 10.0.0.1
crypto map wan_map 5 set ikev1 transform-set ESP-3DES-SHA
I've configured the same setup in my lab and I can't reproduce the error.
The SW version running on ASA is asa861-12.
I'm out of ideas.

Just collected some other information:
1. traceroute shows that traffic is not leaving ASA at all
1   * * *
2   * * *
3   * * *
I double checked that there is no "strange" entry for remote public IP in routing. Traffic with destination to remote IP should be sent via default gateway like all other traffic.
2. debug crypto ipsec shows this information when I ping public IP address of the remote host (with VPN
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.1.1, sport=30647, daddr=10.0.0.1, dport=30647
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 1: skipping because 5-tuple does not match ACL wan_cryptomap_1.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 2: skipping because 5-tuple does not match ACL wan_cryptomap_2.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 3: skipping because 5-tuple does not match ACL wan_cryptomap_3.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 4: skipping because 5-tuple does not match ACL wan_cryptomap_4.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 5: skipping dormant map.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 6: skipping because 5-tuple does not match ACL wan_cryptomap_6.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 7: skipping because 5-tuple does not match ACL wan_cryptomap_7.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 8: skipping because 5-tuple does not match ACL wan_cryptomap_8.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 9: skipping because 5-tuple does not match ACL wan_cryptomap_9.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 10: skipping because 5-tuple does not match ACL wan_cryptomap_10.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 11: skipping because 5-tuple does not match ACL wan_cryptomap_11.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 13: skipping because 5-tuple does not match ACL wan_cryptomap_13.
IPSEC(crypto_map_check)-5: Checking crypto map wan_map 65535: skipping dynamic_link.
IPSEC(crypto_map_check)-1: Error: No crypto map matched.
It really seems that the whole problem is that ASA is trying to encrypt traffic sent from public IP address of one VPN endpoint and targeted to public IP address of another VPN endpoint and send it to remote VPN endpoint via IPcec tunel.
There is indeed VPN tunnel established between both VPN endpoints, but there are just local and remote networks defined with private IP address space for this tunnel, VPN endpoint's public IP addresses are not included in the definition of this IPsec VPN tunnel.
And there are at least two more IPsec VPN tunnels configured the same way and I can't reprodure this error on there two VPN tunnels.
Any idea?

How to disable SSL v3 for sun os 5.6 (OAS 4.0.8), I am facing POODLE vulnerability issue?

my Website is hosted on Sun OS 5.06 (OAS 4.0.8) and using web server : Oracle_Web_Listener/4.0.8. Website is configured to use https for secure pages and it was working fine from last 10 years but suddenly i am getting complaints from my customers that they can not browse site on chrome version 40 and above and firefox 34 and above.
I searched for this issue and found that there is POODLE attack which may causing this issue. now the only solution i can see is to disable SSL v3 on server.
Can any help me out with the process or an idea, How to disable SSL V3 on this Olde server? its sun microsystem server.

Hi Aamir,
   This is old software, been a while since I saw one of these.
    Normally when SSL was setup there were two listeners, one with SSL and one without, in a different port, so you could try to find this second port, which may work without any need to change the configuration.
    Else, try to check on the OAS manager (Usually on port 8888), the HTTP listener -> WWW -> Network, if there is a setup only for the SSL port, you will need to add a new line, with the same configuration, but a different port and the security disabled.
    Also, there may be some setting on the application itself for the url path. If so, when you navigate in the application it will try to redirect you back to the SSL port. In that case you will need to figure out where to change that, which depend on the application itself.
   Found this page on google with the process to setup SSL on OAS 4.0, you need to do the inverse of step 5.
WoSign Support: SSL Certificates Installation Instruction - Oracle Web Server (OAS 4.0.8)
Regards,
Luis

Any Problems using SSL with Safari and the move with Internet explorer to require only TLS encryption.

Any Problems using SSL with Safari and the move with Internet explorer to require only TLS encryption.

Hi .
Apple no longer supports Safari for Windows if that's what you are asking > Apple apparently kills Windows PC support in Safari 6.0
Microsoft has not written IE for Safari for many years.

Disable SSL 2.0 on Windows 2008 R2

Hi.
Can anyone give me a step by step on how to disable SSL 2.0 on IIS 7.5 please? I cannot find an article for it and those refering to IIS 7.0 do not seem to work.
Regards,
Morris
Best Regards, Morris Fury AFRIDATA.net

Morris -
Client-side SSL 2.0 is disabled by default on Windows 7 and Windows Server 2008 R2, which means that, when initiating an SSL connection from either of those two OSes that SSL 2.0 will not be sent as a supported protocol that the server can use. You can see
this in the following registry value:
Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Value: DisabledByDefault
Server-side SSL 2.0 is not, however, disabled by default. This means that some other client, when initiating an SSL connection
to Windows Server 2008 R2 can include SSL 2.0 in the list of supported protocols. If SSL 2.0 is the only protocol in common between the client and the server, the server will select it.
Functionally, there is not much difference between setting Enabled to 0 and setting DisabledByDefault to 1.
Hope this helps,
Jonathan Stephens
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.

Disabling SSL in Aqualogic Service Registry

Hi All,
i have installed and deployed Aqualogic Service Registry (ALSR) on weblogic server 9.2. However, by default, SSL is enabled during installation. I tried disabling SSL using Weblogic Admin Console but that didn't help. Is there a way i can configure ALSR war to disable SSL?
--Vivek

Hi James,
As I am using ALSR and not OSR and also, deploying it on weblogic server (since, ALSR doesn't support oc4j server), I don't understand why i need to put this question in SOA suite forum.
Installation of ALSR creates registry.war that eventually gets deployed on weblogic server. ALSR doesn't allow me to choose SSL enabling, it choses it by default which is not the case in OSR.
--Vivek

Getting error "Problem with SSL Certificate" but I'm connecting to my private server without SSL

I wanted to create a PDF from a subtree at a website. The first problem was that Acrobat Pro (11.0.7) wouldn't spider it (probably because there was a robot.txt file there) so I had to use SiteSucker to pull the pages down to my Mac.
Then I discovered that Acrobat Pro can't handle file:/// URLs so that was no good either
So then I copied all the pages to a folder on my Linux server where I use a non-standard port (86) for http connection as a minor security precaution.
When I tried to access that from Acrobat Pro, it bitched about a problem with SSL Certificate but gave me no option to do anything about it. More relevantly, all the files were accessible using http protocol, not https so there shouldn't have been any need to deal with SSL certificates at all
I had to temporarily enable port 80 on my apache server at which point it's now pulling all the files in and hopefully converting them.
A) We're at version 11 ---- these kinds of issues should have been fixed years ago
B) While you're at it, fix the stupid UI issue where the download dialog disappears completely if Acrobat Pro doesn't have the focus. On a long download, I'd like to be able to see progress while working on other stuff. Acrobat Pro is not the center of the universe!

Interesting point 2, I am working on a Mac plugin at the moment. It does not hide its dialogs when switching to a different app. I consider this a bug and will fix it so the dialog disappears. I hadn't considered the question of progress but there is a very strong reason to do this on the Mac.
My tests seem to show that
(a) to get a dialog to sit above PDF documents all the time, it must be on a higher "level".
(b) if a dialog is at a higher level, this is a global setting.
So, if the dialog is not hidden when switching all, it will typically sit on top of the other app's document windows. This would not be popular, as the end user, unless they have mountains of screen space and choose to use it that way, must either close or move the dialog when switching app, then bring the dialog back. So, because Acrobat Pro is not the centre of the universe, it will hide dialogs (or rather, the Mac will, as it's a standard option when creating a window).

Problem Disabling Beats Audio w/ Windows 10

Hi - I have problem with Beats Audio Control Panel after upgrade windows 8 .1 to windows 10. I updated the audio drivers which didn't solve the problem.
Product Name: Hp Pavilion dv7-7051swProduct Number: B6G49EA#AKD Driver Versions:IDT High Definition Audio CODEC - 6.10.6491.0
Intel(R) Display Audio Driver - 6.16.0.3154NVIDIA Virtual Audio Driver - 1.2.30.0 I tried also reinstall this driver but it didn't help.
It's propapbly the same issue as here:http://h30434.www3.hp.com/t5/Notebook-PC-Sound-and-Audio/Problem-Disabling-Beats-Audio-w-Windows-8-1/m-p/3208867#M43609 Thanks for any help.DMaster

Hey, I had the same problem as you and solved it. Product Name: HP ENVY 15 Notebook PC
Product Number: J0C48EA#AB9
OS: Windows 10 Home 64-bit While using Windows 8.1, what I did to disable the Beats Audio Control Panel was to update the driver to the generic High Definition Audio, as this guy shows:
https://goo.gl/0XN7Nl When I upgraded from Windows 8.1 to Windows 10, the new OS started using the IDT driver, enabling the Beats Audio Control Panel.
I've tried to do the same under Windows 10 but there was Generic Audio Driver a.k.a. High Definition Audio Driver available. This is what I did:
1. Download, install the High Definition Audio Tool from Microsoft Hardware Dev Center, and restart your PC. This is the generic audio driver that was missing:
http://download.microsoft.com/download/4/8/D/48D7ED36-832B-41D7-AE0A-04AD7D8CA837/HdauSetup_x64.msi
https://msdn.microsoft.com/en-us/library/windows/hardware/Dn613936(v=VS.85).aspx 2. Open Device Manager -> Sound, video and game controllers
3. Righ Click Menu over IDT High Definition Audio CODEC and select Update Driver Software
4. Choose Browse my computer for driver software
5. Choose Let me pick from a list of device drivers on my computer
6. Choose High Definition Audio Device
7. Select Yes in the Update Driver Warning 8. The High Definition Audio Codec is installed and the Beats Audio Control Panel disabled Now I can hear all my music again without the awful Beats Audio effects and volume variations that are a nag.
Hope this helps you out. Thank you. hitek81

Disable SSL 3.0 in DSEE 7

Hello,
Is there a way to disable SSL 3.0 in DSEE 7, such that only TLS 1.0/1.1/1.2 can be used? I Googled for this and found MOS document 1950334.1, but the instructions in the document only apply to a DS proxy server.
Thanks,
Dave

Disabling SSLv3 by changing the encryption settings but it did not actually work. I loaded the LDIF and restarted the instance, and LDAP indicated that the change took effect:
root@ldap-test:/# ldapsearch -D "cn=Directory Manager" -w xxxxxxxx -b "cn=config" -s sub '(cn=encryption)'
version: 1
dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSLServerAuth: cert
nsSSL2: off
nsKeyfile: alias/slapd-key3.db
nsCertfile: alias/slapd-cert8.db
nsSSL3Ciphers: all
nsSSL3: off
However, a test with openssl with the "-ssl3" option (forcing it to only use SSLv3) still connected:
$ /usr/local/openssl-1.0.1k/bin/openssl s_client -connect ldap-test.our-domain.edu:636 -ssl3
CONNECTED(00000003)
... <showed our server certificate, etc.> ...
If SSLv3 were actually disabled, that openssl test would have failed with an error. Disabling SSLv3 is required by our auditing tool because of the POODLE vulnerability, and a system cannot pass our audit unless SSLv2 and SSLv3 are disabled completely, but TLS 1.0/1.1/1.2 are still available.

TS3899 iPad mail account says problem with 'ssl settings' - can you help me?

iPad mail account says problem with 'ssl settings' - can you help me?

The 4Gs hardware, only 256 MB of RAM, prohibits updating beyond 6.1.6.
Starting when iOS 7 was released, Apple now allows downloading the last compatible version of some apps (iOS 4.2.1 and later only)
App Store: Downloading Older Versions of Apps on iOS - Apple Club
App Store: Install the latest compatible version of an app
You first have to download the non-compatible version on your computer. Then when you try to purchase the version on your iPod you will be offered a compatible version if one exists.

RDS 2012 issues after disabling SSL 3.0

Hi all, we have Server 2012 R2 RDS infrastructure. I have 2 servers running RD web, gateway, and conn broker using Windows network load balancing. 3 RDSH servers behind them handling user workload.
Last night I disabled SSL 3.0 on both of these servers using the registry key 'Enabled' set to zero in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server. Servers were rebooted after this change.
I did not disable SSL 3.0 on the RDSH servers yet, but I don't think it matters in this situation because the SSL traffic only passes between the remote computer and the RDGW server, AFAIK.
Today all the remote users were having issues with remote desktop sessions disconnecting them, but they would reconnect after a short time. They all told me this is unusual, normally the connections are quite stable. After I turned SSL 3.0 back on and rebooted,
no more issues, users are happy. Has anyone else experienced this? Is there anything that can be done to stabilize connections while SSL 3.0 is disabled?

Hi,
Thank you for posting in Windows Server Forum.
Did they receive any precise error when SSL3 is disabled?
What’s your client OS and RDP version using for your network?
If you would like to continue with SSL3 disabled you may try to change the RDP Security Layer under Security Layer.
When you are using RD Security Layer you are susceptible to MITM attack because there is no Server Authentication. I suggest you re-enable TLS 1.0 and have a ssl certificate from a public authority set on your RDP-Tcp listener.
You can also refer this article for other information.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support

ILOM, how to disable SSL v2?

Hello
Is there any possibility to disable SSL v2?
I want to use HTTPS to connect to the server (Java Console) but it have to use SSL v3 only. Once trying to connect with v2 of SSL connection should not be established.
Is there any possibility to do this?
SP Firmware Version is: 3.0.3.20.e
SP Filesystem Version 0.1.22
Edited by: Luceks on Sep 2, 2009 4:28 AM

Hi.
You should have a SSL section under:
1) Log in to the ILOM-SP WEB interface.
2) Click --> Management --> SSL (or similar...)
3)
The SSL page appears. There're some sections to the SSL page.
One section includes targets and properties and you can configure the SSL settings displayed
in this section page (example):
**SSL**
State = Enabled | Disabled
Roles = Administrator | Operator | Advanced | (none)
Address = 0.0.0.0
Port = 0
4) Save settings page, to save any changes made to this section.
s.

Problems Disabling SSL v2

Similar Messages

Maybe you are looking for