> > On windows systems there is a simple powershell script that you run which > alters the registry and disables to fallback to older algorithms that have > exploits. It does depend on the OS level though as to how much you need to > do. I attached the powershell script I used to disable a older algorithms > on one of my servers but make sure it suits your OS. I don’t have the link > handy where I got it from tho. Sorry >
The script looks too risky for me to run on my Win 2008 R2 Standard server because, as you say, things like this worry me as being very OS level dependent. It creates a bunch of HKLM registry keys that don't exist. I only have Protocols\SSL 2.0\Client and nothing else at the moment. My site is only used for software testing, so I'll leave it alone for now. Coincidentally, I had that same area of HKLM open last week. I found thousands of items in the event log about TLS not negotiated (or something like that). The workaround was to add this value: HKLM\SYSTEM\CurrentControlSet\Control\Security\Providers\SCHANNEL\EventLogging=DWORD(0) *Greg*
