Hello,
We have recently obtained a vulnerability assessment and one of the duties I was responsible with was to make sure all our IIS and ISA servers are not presenting weak ciphers.
I have gone in and edited the registry and I'm reporting good news:
Preferred cipher:
TLSv1/SSLv3, Cipher is RC4-MD5 RC4(128)
Available SSL2 ciphers:
Available SSL3 ciphers:
DES-CBC3-SHA 168 bit
RC4-SHA 128 bit
RC4-MD5 128 bit
Available TLS1 ciphers:
DES-CBC3-SHA 168 bit
RC4-SHA 128 bit
RC4-MD5 128 bit
So SSLv2 is not reporting any available Ciphers, and SSL3 and TLS1 are presenting 128bit and up.
My question is to be really secure should I disable the 128 bit ciphers also? and should I remove MD5 - our vulnerability report states that anything equal to or less then 128bit cipher is still not that strong. Also MD5 should not be used.
Will I cause incompadibiilty with anyone's browsers or SSL session if I change these to only allow the 168bit cipher.