Monday, 21 January 2013

SSL is dead, long live TLS1.0, er 1.1, er 1.x

So I thought I would post this as I couldn't find a definitive answer anywhere; how to enable HTTPS Strict Transport Security, or HSTS on IIS 7.5 on Windows 2008 r2. It is really, really simple.
Open the iis manager, navigate to the site and go to HTTP Response headers. Add a new HTTP Response header with name of Strict-Transport-Security and Value of max-age=300 like the below;




Then click ok, you will more than likely need to restart iis to get this to work from my experience.

I also thought I might mention how to enable TLS 1.1 and TLS 1.2, save the below as a .reg file and do the old regedit /s file.reg from an elevated prompt to get it imported, then reboot.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000


Another awesome page I found during my travels that needs more publicity is by Qualys, it does a full SSL/TLS implementation test and tells you how you fared;
https://www.ssllabs.com/ssltest/
After this you may want to change your cipher suites, which now in 2008r2 can be done in gpedit. Anyway that is for this quick brain dump.

No comments: