All geek questions in one place

Disable Insecure Revision in SslStream

I wrote a web server in .NET that supports HTTPS using SslStream .

Unfortunately, ssllabs.com displays the following message about my implementation:

This server is vulnerable to MITM attacks because it supports unsafe scans.

This is a link to an interesting blog post about vulnerability.

How to disable reconnection in .NETs SslStream ?

+4
source share
2 answers

SslStream uses SChannel.dll under the hood. You can configure which algorithms are available by modifying the registry:

http://support.microsoft.com/kb/245030

In particular, the two entries highlighted in the following screenshot will cancel the TLS renegotiation:

regedit

They are called AllowInsecureRenegoClients and AllowInsecureRenegoServers , both DWORD values, both set to 0 and located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL .

There seems to be a fix you can install that also disables insecure TLS / SSL switching (applies only to Windows XP / Windows2003 server):

http://support.microsoft.com/kb/980436/en-us

+3
source

For window2012, it does not work with "AllowInsecureRenegoClients" and "AllowInsecureRenegoServers" is set to 0.

I changed to AllowInsecureRenegoClients "as 0 and" DisableRenegoOnServer "as 1 and works for me.

+1
source

Source: https://habr.com/ru/post/1499603/

More articles:


All Articles