AnsweredAssumed Answered

IIS 7.5, Chrome and obsolete crytpography

Question asked by dissssss on Jun 11, 2015
Latest reply on May 31, 2017 by j-mailor

Hi all,

 

We're currently running a number of IIS 7.5 servers which are set up using this script: https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12 This is obviously a big improvement over the Microsoft defaults, but does mean anyone curious enough to click the padlock in Chrome will see a 'Your connection to x is encrypted with obsolete cryptography'

 

I understand that Google considers CBC mode cipher suites obsolete but I'm less sure what can be done about this with an IIS 7.5 server.

 

It seems like the choices are

1) Prioritise TLS_DHE_WITH_AES_128GCM_SHA256 which uses a 1024-bit prime

 

2) Prioritise TLS_RSA_WITH_AES_128_GCM_SHA256 which means no forward secrecy

 

3) Prioritise TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and obtaining an ECDSA certificate which means dropping compatibility for older browsers

 

Is this correct?

Outcomes