Configuring IIS 7.5 to be FIPS 140.2 compliant
Solution 1
It means that the server supports SSLv2 handshake, even though it may not support SSLv2 itself. Essentially it's an optimization. Instead of a client first requesting SSLv2 (with a SSLv2 handshake) and failing (if the server does not support it), then having to request SSLv3 or better (with a SSLv3 handshake), the client can use the SSLv2 handshake to indicate support for newer protocols.
Solution 2
You can confirm that it is an issue with the SSL Labs Checker by changing the configuration in your browser to only accept SSL 2.0. If you can connect to your site, then SSL 2.0 is still enabled. Otherwise, it is disabled.
Related videos on Youtube
Olof Åkesson
Updated on September 17, 2022Comments
-
Olof Åkesson over 1 year
I need to configure IIS 7.5 (Server 2008 R2) to be FIPS 140.2 compliant.
Specifically, this involves disabling all SSL protocols other than TLS 1.0.
I have set the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
to Enabled(DWORD) = 0 as per this KB, but SSL Labs' checker says "SSL 2.0+ Upgrade Support" is enabled. (Everything other than that and TLS 1.0 is not available, so we're getting somewhere). It also says "FIPS ready - no" - presumably because SSL 2.0+ Upgrade Support is still enabled.
serversniff.net says SSL 2.0 is turned off, and doesn't say anything about SSL 2.0+ Upgrade Support. Could this be an anomaly with SSL Labs' checker?
-
MattB almost 14 yearsit might be easiest to contact Ivan (the SSL Labs developer) to figure out what exactly that means. Based on the following link, I have a feeling it is because IIS is throwing a 500 error when a SSLv2 connection is attempted, but not sure. blog.ivanristic.com/2009/08/…
-