cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to disable Diffie–Hellman algorithm in MS ISS

twiningstea
Newcomer

Hello!

Does anyone have ready note about actions to disable Diffie–Hellman key exchange algorithm in MS ISS v10 ?

Currently it speaks:

The connection to this site is encrypted and authenticated using TLS 1.2
(a strong protocol), ECDHE_RSA with X25519 (a strong key
exchange), and AES_256_GCM (a strong cipher).

We are thinking to lower key exchange (handshake) protocol to one supported by RUM/NAM for our cust internal app. Diffie–Hellman key exchange algorithm does not send session excruption key over the net and RUM/NAM unable to understend TSL encrupted operations.

Regards,

Iger


13 REPLIES 13

twiningstea
Newcomer

Cool staff ! Many thaks!


twiningstea
Newcomer

We have got:

Your connection is not secure
The website tried to negotiate an inadequate level of security.
10.101.2.90 uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.
Error code: NS_ERROR_NET_INADEQUATE_SECURITY

... and currently thinking if we are on the right way ...


I think first you should look at the order of cipher suites that are enabled, and disable weak Cipher Suites. Example of an ordered list, supported by DCRUM:

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA

Another option is to switch of HTTP/2 and revert back to HTTP/1.1, but I'm not thrilled by that option.
You can read more about this, your error, and possible solutions here:

https://www.tecklyfe.com/how-to-fix-ns_error_net_inadequate_security-and-err_spdy_inadequate_transport_security-in-iis-on-windows-server-2016/


Note that everybody should be aware of the TLS 1.3 ghost however. Once TLS 1.3 becomes the standard in client-server communication, any monitoring solution like AMD's will no longer be able to decode HTTPS/SSL traffic, without additional changes/hardware in the infrastructure. Bottom lime will be, you will have to measure from a (man-in-the-middle) point in the traffic path where the traffic is not SSL encoded.

More on that in this Ixia article:

https://www.ixiacom.com/company/blog/implications-tls-13-security-monitoring


twiningstea
Newcomer

Browser F12 security tab says:

The connection to this site uses TLS 1.2 (a strong protocol), RSA (an obsolete key exchange), and AES_256_GCM (a strong cipher).

Does any one knows any Chrome chrome:// parameter to let it work? I am googling but not yet found any 😞

AES_256_GCM looks like AMD supported, according to

https://answers.dynatrace.com/questions/145444/dea...


I understand that TLS 1.3 will use DH based algorythms only.


Igor, what is set currently in the browser? You may want to disable TLS1.0, and enable 1.2.

See how to do this per browser here:

https://support.engagingnetworks.net/manually-enab...

https://knowledge.digicert.com/generalinformation/...


Did you use the Best Practices button in IIS Crypto? Someone posted on

https://stackoverflow.com/questions/31746620/iis-1...

that he "came across solution posted here and used IIS Crypto and selected Cipher Suites option and clicked Best Practices button" to solve his problem.


Maybe you also have to look at Disabling HTTP/2 / SPDY in HTTP.SYS and IIS in Windows 10

According to another post on https://stackoverflow.com/questions/31746620/iis-... :
"According to the error message this is a SPDY issue, so the certificate and the cipher suites are not the cause.

SPDY is a protocol allowing multiplexing HTTPS requests but it will be replaced by HTTP/2. As a temporary fix, you can apparently disable its support in you browser/registry/server."



More related to your issue I found here:

https://serverfault.com/questions/712808/chrome-re...

https://security.stackexchange.com/questions/83831...

SSL and TLS Deployment Best Practices:

https://github.com/ssllabs/research/wiki/SSL-and-T...

Some more:

https://www.acunetix.com/blog/articles/tls-ssl-cip...


Check this out:

How to Fix NS_ERROR_NET_INADEQUATE_SECURITY and ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY in IIS on Windows Server 2016

https://www.tecklyfe.com/how-to-fix-ns_error_net_i...


imoskovko1
Inactive

Frans, many thanks! I need to study these links carefuly.


twiningstea
Newcomer

Frans, after reading all suggested links carefuly it became much more clear. Hopefuly i had basis pki and asymmetric encryption understanding before. I suggest all touched NAM HTTPS/TLS topic read these links! Exellent set but requires some background.

We managed to get read off NS_ERROR_NET_INADEQUATE_SECURITY Chrome error !

So working combination is HTTP v1.1 + TLS v1.2 with all *DH* disabled

Browser reports The connection to this site uses TLS 1.2 (a strong protocol), RSA (an obsolete key exchange), and AES_256_GCM (a strong cipher).

Our app seams to accept HTTP v1.1 an from first glance it works well using this combination. We are in complex testing process.

HTTP v1.1 + TLS v1.2 with all *DH* disabled (TLS 1.2 RSA AES_256_GCM) looks reasonable tradeoff for us, so far we not dealing with state, bank, personal data.

We used following comands to downgrade from HTTP/2 to HTTP v1.1:

Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters -Name EnableHttp2Tls -Value 0 -Type DWordSet-ItemProperty -Path HKLM:\System\CurrentControl

Set\Services\HTTP\Parameters -Name EnableHttp2Cleartext -Value 0 -Type DWord

Now we will set up NAM AMD. It will take some time and i will let know results here.


imoskovko1
Inactive

All works. HTTPS traffic internals is analyzed. Pic:


Nice to see it working. What was the final fix?


This one posted above:

Frans, after reading all suggested links carefuly it became much more clear. Hopefuly i had basis pki and asymmetric encryption understanding before. I suggest all touched NAM HTTPS/TLS topic read these links! Exellent set but requires some background.

We managed to get read off NS_ERROR_NET_INADEQUATE_SECURITY Chrome error !

So working combination is HTTP v1.1 + TLS v1.2 with all DH disabled

Browser reports The connection to this site uses TLS 1.2 (a strong protocol), RSA (an obsolete key exchange), and AES_256_GCM (a strong cipher).

Our app seams to accept HTTP v1.1 an from first glance it works well using this combination. We are in complex testing process.

HTTP v1.1 + TLS v1.2 with all DH disabled (TLS 1.2 RSA AES_256_GCM) looks reasonable tradeoff for us, so far we not dealing with state, bank, personal data.

We used following comands to downgrade from HTTP/2 to HTTP v1.1:

Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters -Name EnableHttp2Tls -Value 0 -Type DWordSet-ItemProperty -Path HKLM:\System\CurrentControl

Set\Services\HTTP\Parameters -Name EnableHttp2Cleartext -Value 0 -Type DWord