Diagnose and Fix SSL/TLS for a Web Site or Web Server

article #1064, updated 2717 days ago

This one courtesy of the amazing Mike Hunsinger.

  1. Run the web site SSL test here, specifying the URL to study:

https://www.ssllabs.com/ssltest/

  1. A rating of A through F, or T, will be reported. T means a fundamental problem with the certificate install itself.

An A rating means the server is set to only accept protocols such as TLS1.2, that are currently recognized as secure. Anything below an A rating means the server responded on SSL or other protocols considered insecure.

Scroll down on the SSL Labs rating page to see the technical details on what protocols were detected and which are failing security checks.

If this is a Windows web server, remote in and:

  1. Download the portable app, IISCrypto from here:

https://www.nartac.com/Products/IISCrypto/Download

Run this program on the server which hosts the website.

You’ll get a window showing all protocols that are on this server and whether they’re enabled or not. To achieve an A rating, use the details view from SSL Labs as a guide. Disable any protocols in IIS Crypto that SSL Labs flags as a security risk. Only do these after verifying that the web site / web application will certainly work with the newest protocols and does not depend on the older ones.

The protocols that a Windows webserver will accept are specified via Regedit entries. IIS Crypto reads and modifies these Regedit entries automatically.

  1. Reboot the webserver. Then retest with SSL Labs. Make further changes as dictated by the scoring detail.
  1. If you have control over workstations, use Group Policy to deploy the certificate to all of them, and to disable insecure protocols, and to enable the secured protocols.

Categories: