RIP SSL 3.0. Long live TLS.

We use IIS for the marketing site at work as soon as I saw this news break I started poking around its https settings and found nothing. Ended up Gogling the issue and of course it’s a registry edit that needs to be deployed to every server and added to the server setup documentation.

I couldn’t find the official IIS documentation for this so I put my faith in DigiCert’s instructions on disabling SSL in IIS. Later tests from the Qualys SSL Test site prove it worked. Ended up finding the actual docs for disabling SSL in ISS while writing this post.

Timeline: Tuesday announce by Google, Wednesday fix committed by me, Thursday fix deployed by IT. If I’d caught the news sooner IT may have gotten it Wednesday.

There’s no downside to this unless you still have IE6 users that need to access your site via https. We only have one page that uses https and the rest of the site doesn’t support IE6 anyway.

More concerning are the results of the Qualys test. IIS 7 apparently still supports SSL 2.0 and doesn’t have support enabled for TLS 1.1 or 1.2. Guess I’ll be sending out one more registry patch to IT on Monday. (Less worried about SSL 2.0 since IE7 had it disabled by default, but the later TLS versions really need to be on.)