How to disable SSLv2 in favor of SSLv3 for WCF net.tcp and https services
https://stackoverflow.com/questions/13051571
-
14-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
As part of a PCI compliance testing we discovered that our WCF net.tcp endpoints that are secured using transport level security and certificates are allowing for SSLv2 connections. Our services are self hosted, so we are not working with IIS to host them and therefor IIS based solution I don't think will work.
After looking through a lot of MSDN pages we have yet to find a way to tell the WCF connections what version of SSL to use.
We require that the connections only accept SSLv3 and not SSLv2 for PCI compliance.
Does anyone know how to set the forced SSL version on a WCF connection (both host and client), or is there a boarder approach on how to do this for your windows machine as a whole?
Solution
Not sure if this shouldn't be better asked on server fault.
Is it a .NET application? You may want to have a look at ServicePointManager.SecurityProtocol.
Furthermore, you could try the following for, as an example, Windows Server 2008. It should be system wide not IIS specific. Open Command Prompt by navigating to Start > Run > cmd on your server, then execute the following statements:
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 1 /f
After that you should now receive an error if you attempt to connect to the server with SSLv2
