disable ciphers

I have a need to disable low-grade encryption on a web
site, which requires SSL on certain pages only. For
those pages, I want to force 128-bit SSL.

IIS 6 only allows me to force 128 on the entire site,
rather than forcing it only when SSL is called on a
page. I found KB article 216482, describing a registry
change to disable selected ciphers. I want to disable
anything with 40 or 56-bit.


Here's the problem: In step 4, the procedure assumes
that a DWORD value exists, named "Enabled." However, the
only key I see is "(default)" with a value not set. The
procedure does not address the possibility of they value
not being there. Simply creating the value didn't
successfully change the cipher behavior.


Any idea why the states registry value doesn't exist? I
don't know if the procedure didn't take that possibility
into account. Any help would be greatly appreciated.

Re: disable ciphers

I assume you want to accomplish:
> For those pages, I want to force 128-bit SSL.

If I am mistaken, please correct.


Some Clarifications on your statements:

IIS6 allows you to force SSL (and optionally, only 128bit encryption
strength) on a per-URL basis. The URL can certainly be "entire site",
but it can also be "entire vdir" or "these specific pages", or even
"this specific URL name which does not correspond to a physical file".

Encryption support on Windows OS is implemented by SCHANNEL and is
configured on a per-machine basis. SCHANNEL allows configuration of
allowed Ciphers and Strength, and it applies uniformly across the
system. Consequences:
1. If IE and IIS are on the same machine and you disable 40/56bit
Ciphers, both IE and IIS will not accept them.
2. It is impossible for IIS to enable 40/56bit Ciphers for one URL and
disable them for another URL.

So, to force 128bit SSL on certain pages, all you need to do is toggle
the AccessSSLFlags property on the IIsWebFile of those pages and you
are done. You can certainly go about restricting 40/56bit Ciphers
system-wide, but I do not see how that achieves your goal.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



On Feb 20, 2:51 pm, "rockymtn" wrote:
> I have a need to disable low-grade encryption on a web
> site, which requires SSL on certain pages only. For
> those pages, I want to force 128-bit SSL.
>
> IIS 6 only allows me to force 128 on the entire site,
> rather than forcing it only when SSL is called on a
> page. I found KB article 216482, describing a registry
> change to disable selected ciphers. I want to disable
> anything with 40 or 56-bit.
>
> Here's the problem: In step 4, the procedure assumes
> that a DWORD value exists, named "Enabled." However, the
> only key I see is "(default)" with a value not set. The
> procedure does not address the possibility of they value
> not being there. Simply creating the value didn't
> successfully change the cipher behavior.
>
> Any idea why the states registry value doesn't exist? I
> don't know if the procedure didn't take that possibility
> into account. Any help would be greatly appreciated.