You are not logged in.
Pages: 1
When doing online SSL tests against my mORMot powered webservices I get a warning about insecure SSL3 protocol,
What is the recomended way to disable the SSL3 option?
Offline
With which class or function are you connecting?
mORMot 1 or mORMot 2?
I have just disabled deprecated and unsafe WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 for the WinHttp client, which is no longer to be used anywhere.
But for the server-side http.sys I don't know how to disable SSL3. I didn't find anything in the API.
I guess this is to be done system-wide, using the registry.
Try https://techcommunity.microsoft.com/t5/ … a-p/287812
My advice is to not use HTTPS with http.sys on production, but put a Linux nginx reverse proxy in front of the mORMot server. You will have a much higher security, and you would be able to easily use free certificates like Let's Encrypt.
Securing Windows and a http.sys server is much harder then a light Linux + Nginx front-end - especially if Windows itself is a bit old. On newer servers, Microsoft disabled SSL3 completely, for instance, IIRC.
Offline
Thank you for your all suggestions
I use mormot 1 for a server side webservices with Http.sys handling the ssl communication .
We have just made registry change and verified that SSL3 is not available anymore after reboot.
UInfortunatelly our client has only one virtual server and it is not an option for them to setup another virtual server to act as a Linux proxy.
Nevertheless we use Win-ACME Windows implementation of LETS encrypt certificates system
Offline
An actual documentation about windows registry for TLS settings - https://docs.microsoft.com/en-us/window … n-settings
BTW TLS1.1 supported only on Windows11 - see comparison table here
Last edited by mpv (2021-09-29 17:51:20)
Offline
Pages: 1