Pages: 1

#1 2021-09-28 07:25:00

EvaF
Member
Registered: 2014-07-19
Posts: 40

Disable insecure SSL3 protocol?

When doing online SSL tests against my mORMot powered webservices I get a warning about insecure SSL3 protocol,

What is the recomended way to disable the SSL3 option?

Offline

#2 2021-09-28 08:21:35

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,207
Website

Re: Disable insecure SSL3 protocol?

With which class or function are you connecting?
mORMot 1 or mORMot 2?

I have just disabled deprecated and unsafe WINHTTP_FLAG_SECURE_PROTOCOL_SSL3 for the WinHttp client, which is no longer to be used anywhere.

But for the server-side http.sys I don't know how to disable SSL3. I didn't find anything in the API.
I guess this is to be done system-wide, using the registry.
Try https://techcommunity.microsoft.com/t5/ … a-p/287812

My advice is to not use HTTPS with http.sys on production, but put a Linux nginx reverse proxy in front of the mORMot server. You will have a much higher security, and you would be able to easily use free certificates like Let's Encrypt.
Securing Windows and a http.sys server is much harder then a light Linux + Nginx front-end - especially if Windows itself is a bit old. On newer servers, Microsoft disabled SSL3 completely, for instance, IIRC.

Offline

#3 2021-09-28 08:59:35

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,539
Website

Re: Disable insecure SSL3 protocol?

I confirm - for http.sys level the only way is editing a registry systemwide (also this is a way to enable TLS1.2/1/3 on win10).
+++ for @ab remark about nginx + optional Let's Encrypt

Offline

#4 2021-09-28 18:11:18

EvaF
Member
Registered: 2014-07-19
Posts: 40

Re: Disable insecure SSL3 protocol?

Thank you for your all suggestions

I use mormot 1 for a server side webservices with Http.sys handling the ssl communication .

We have just made registry change and verified that SSL3 is not available anymore after reboot.

UInfortunatelly our client has only one virtual server and it is not an option for them to setup  another virtual server to act as a Linux proxy.

Nevertheless  we use Win-ACME Windows implementation of LETS encrypt certificates system

Offline

#5 2021-09-29 17:46:42

mpv
Member
From: Ukraine
Registered: 2012-03-24
Posts: 1,539
Website

Re: Disable insecure SSL3 protocol?

An actual documentation about windows registry for TLS settings - https://docs.microsoft.com/en-us/window … n-settings

BTW TLS1.1 supported only on Windows11 - see comparison table here

Last edited by mpv (2021-09-29 17:51:20)

Offline

Pages: 1

Board footer

Powered by FluxBB