AnsweredAssumed Answered

Latest info? Hardening SSL on Windows 2003, Schannel and MS14-066

Question asked by Paul C. on Jun 30, 2015
Latest reply on Jul 12, 2015 by Paul C.

Hi,

 

We need to perform an SSL hardening exercise on Windows 2003, and need an inconsistency cleared up. 

 

The community article from January this year (Windows  2003 Server SP2 (IIS 6) Best Cipher Suites, HotFix, Nartac, and Descrepancies) suggests a specific process to add the following two new ciphers:

- TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

- TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA

 

However, the process has step 3 as installing KB948963 (https://support.microsoft.com/kb/948963) after updating all pending Windows updates.

 

The critical security update MS14-066 (November 2014) installed schannel.dll version 5.2.3790.5462 for Windows 2003 - while KB948963 will install schannel.dll 5.2.3790.4313, a lower version back on top of this.

 

It seems that if the process in the linked community article will resolve our issue with missing ciphers, but reintroduce the issue resolved under MS14-066.

 

Please can someone confirm if there is a way to keep the now current updates and still enable the AES ciphers in Windows 2003.

 

Thanks


Outcomes