All geek questions in one place

Fix Chrome Notification of Obsolete Encryption in IIS8.5 and SQL Server 2012

I am trying to configure IIS 8.5 on Windows 2012 R2 so that I do not receive a notification from Chrome that the website is using outdated cryptography. The image below is from Mac OS X, but I get a similar message in Windows 8.1, where the AES_256_CBC encryption algorithm using the SHA1 hash and key exchange is ECDHE_RSA. The problem is hashing SHA1 messages. Google is trying to force websites to use SHA2 message hashing. The Mac uses the SHA256 algorithm for hash signing, but the problem here is the GCM modifier for AES encryption.

I have a new certificate, which is a 2048-bit RSA certificate that supports SHA256 hashing.

I used the NARTAC IIS Crypto tool to configure the IIS server. TLS 1.0, TLS 1.1, and TLS 1.2 protocols are included. The ciphers included are TripleDES 168, AES 12/128, and AES 256/256. Hashes included: SHA, SHA256, SHA384 and SHA512. Key exchanges included: Diffie-Hellman, PKCS and ECDH. SSL Cipher Suites order for authorized numbers:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 (this is true in the latter instrument) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

I tried a large number of options for this configuration, but none of them led to the creation of a working site with a notification from Chrome. If I remove AES 128/128 from Ciphers Enabled, it will have no effect. If I remove the SHA from Hashes Enabled, the website will not be able to contact SQL Server 2012, which provides data transfer services to the website. If I remove the SHA1-based SSL Cipher Suites from a supported order, the browser will not be able to connect to the server.

Has anyone got a working Windows IIS 8.5 configuration with SQL Server, where did the Chrome notification go?

+6
source share
2 answers

Windows Server 2012 does not seem to provide the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite needed to resolve this error. See https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx for links to pages that list encryption sets for different versions of the Server. You'll notice that Windows Server 2016 does have this cipher suite, and I found that upgrading to 2016 was the best way to fix a Google error. Please note that when upgrading to Windows Server 2016, you will again need to use your IIS_Crypto 2.0 program to organize the ciphers (or any other interface you choose). Using the Best Practices template, you will get there. I chose the encryption order that gives TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 at the top of the list.

+5
source

Place TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 on top of the list or do not let the server cancel the encryption order submitted by the client (which puts the preferred ciphers on top). I do not know if there is an opportunity for this.

For more information about the problem, see https://security.stackexchange.com/questions/85532/chrome-showing-cryptography-as-obsolete/85544#85544

+1
source

Source: https://habr.com/ru/post/984865/

More articles:


All Articles