Add support for IIS on Windows 1809 #36
Conversation
| 'TLS_DHE_DSS_WITH_DES_CBC_SHA', | ||
| 'TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA', | ||
| 'TLS_RSA_WITH_NULL_MD5', | ||
| 'TLS_RSA_EXPORT1024_WITH_RC4_56_SHA', |
There was a problem hiding this comment.
These may be supported (yikes, are they really???), but we should definitely not include them here.
There was a problem hiding this comment.
How else would you suggest to handle this?
There was a problem hiding this comment.
Would you prefer to drop all obvious insecure cipher suites (NULL, SHA1, CBC, etc...)?
There was a problem hiding this comment.
@april what's to do for me here?
|
Dear @april is the generator dead? The PR and my question what needs to be done from your perspective were unanswered for month... |
|
No, it's not dead, I just don't know if I feel comfortable recommending a giant blob of command line commands to run, especially without a good way to undo it. |
|
I have not looked through the full details of this one MR (which appears related to issue #54), however I came across something similar by Alexander Hass, available at: https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12 The script provided over there includes support for other installed OS & IIS versions as well as a sort of "reset" script. Perhaps it would be possible to make some similar here as well... Or perhaps reach out to Alexander Hess and have him help out/contribute (as the script on his website is strictly speaking copyrighted by Alexander Hess). |
|
Would be great to keep this going. If you like further assistance we could also reach out to MSFT folks... |
|
If Microsoft has a recommended and supported way to do (and undo) all this, I'd happily add it. I just don't want people to yell at me if a bunch of scripts screw up their machine. :) |
Would it be more appropriate to simply provide the list of recommended ciphers so that they can be input into the appropriate Group Policy? Here is the documentation on setting the supported ciphers via GPO. The generator could return the properly formatted, comma-separated, list of ciphers that can be copied and pasted into the GPO. Example: Paste into GPO: |
|
I contacted some ppl at MSFT but there seems to be nobody feeling responsible as there is a overlap of IIS and SCHANNEL. Also nobody I contacted saw the need/goal/benefit in this project so we cannot expect support from them. I really like the idea of GPOs, as it is the default management/administration path and is also enterprise compatible. With the GPOs its is also possible to create an XML file |
|
I agree, I feel this is an excellent resource to be able to go to and retrieve the latest "recommended" TLS settings for each of the service that we may have deployed. Considering the uniqueness of IIS/SCHANNEL/Windows there should really be, at a minimum, a listing of the current recommended settings. This doesn't necessarily have to be the actual XML file of the settings or a series of PowerShell scripts, but I think it should certainly be considered. I do like the XML idea. Could simply have the template spit out the XML data that can be copied into the Registry section of the GPO. |
|
I mean, the recommendations are both in the JSON file that can be programatically interacted with as well as the Server Side TLS Guidelines: https://wiki.mozilla.org/Security/Server_Side_TLS What would the listing say that isn't already in the article? |
Honestly, I didn't notice the JSON version. That would suffice in our case. Considering there doesn't seem to be a Thanks for pointing this out @april . |
|
This kind of feels like it might be more successful as a PowerShell module that could be installed from the PowerShell gallery. You may also have a look at https://www.nartac.com/Products/IISCrypto/ (although I wish it were open source) |
|
I agree with @nemchik , the https://www.nartac.com/Products/IISCrypto/ is a much better way to manage this on Windows. Giving users a large blob of powershell is just too scary with no simple/safe revert if something goes wrong. My humble suggestion would be to list windows as an option, but add some text similar to https://github.com/mozilla/ssl-config-generator/blob/master/src/templates/partials/nosupport.hbs and suggest they look at https://www.nartac.com/Products/IISCrypto/ |
Just to add a bit, I love IISCrypto, but I don't think it should be relied on as a mechanism to apply settings from here. Sure it probably could work, but since there's no telling how that program might change over the years and how that might affect its ability to apply settings provided here I would not view it as a viable long term solution. Powershell on the other hand should be pretty straightforward. Having the option to apply changes or revert to Windows built in standard settings should be plenty. Running a powershell script is no more complicated than configuring apache or nginx. |
My suggestion would be to add an |
|
Beside the fact that IISCrypto is a handy tool... IMHO a closed source tool is always more scary that scripts or open source where I can see what it actually does. 🤷♂️ |
|
I'll keep an eye on this issue as it is probably related. Beside that I totally fine to close this thread. |
Here is support for IIS on Windows 10/2019 1809 and above