AnsweredAssumed Answered

Unexpected results for Secure Renegotiation on Windows 2003

Question asked by Douglas Foster on Apr 13, 2016
Latest reply on May 3, 2016 by Ivan Ristić

According to Microsoft's documentation on MS10-049, creating the registry value AllowInsecureRenegoClients (DWORD) =0 should ensure that all renegotiation is secure (and unpatched clients will be rejected).   Omitting the value or setting it to anything nonzero should make secure renegotiation optional, which seems the weaker configuration.

 

However, when SSL Labs scans my machines, the ones with the registry key set to lock down are reported negatively for not supporting secure renegotiation at all, while the ones that I think are less well locked down are reported favorably as supporting secure renegotiation.

 

Can someone explain my error, or is the scan evaluating my security incorrectly?

Outcomes