How to Check and Configure SSL/TLS Versions on Windows Server 2003: Disabling SSL 2.0 and Enabling SSL 3.0


1 views

html

To confirm which SSL/TLS versions your Windows Server 2003 is currently using, you can utilize several methods:

Method 1: Using OpenSSL Command Line

openssl s_client -connect yourdomain.com:443 -ssl2  # Test SSL 2.0
openssl s_client -connect yourdomain.com:443 -ssl3  # Test SSL 3.0
openssl s_client -connect yourdomain.com:443 -tls1  # Test TLS 1.0

If the server rejects the connection with -ssl2 but accepts -ssl3, you've successfully disabled SSL 2.0.

Method 2: Online SSL Checkers

Websites like SSL Labs' SSL Test (https://www.ssllabs.com/ssltest/) provide detailed reports about your server's SSL/TLS configuration.

To properly disable SSL 2.0 and enable SSL 3.0, you'll need to modify the Windows Registry:

Step-by-Step Registry Configuration

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000001

After making these changes, restart your server for them to take effect.

After implementing these changes, verify your configuration using:

nmap --script ssl-enum-ciphers -p 443 yourdomain.com

This will show you which protocols and cipher suites are currently enabled on your server.

While this guide focuses on enabling SSL 3.0, be aware that:

  • SSL 3.0 is now considered obsolete and vulnerable to POODLE attacks
  • Modern systems should use TLS 1.2 or higher
  • Windows Server 2003 reached end-of-life in 2015 and no longer receives security updates

For production environments, consider upgrading to a supported server OS that can handle modern TLS versions.

To verify which SSL/TLS versions your Windows Server 2003 web server is currently using, you can employ several methods:

# Using OpenSSL command (requires OpenSSL installed)
openssl s_client -connect yourdomain.com:443 -ssl2
openssl s_client -connect yourdomain.com:443 -ssl3

# Sample output when SSL 2.0 is disabled:
CONNECTED(00000003)
140735226847040:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Alternatively, use online tools like SSL Labs' SSL Test (https://www.ssllabs.com/ssltest/) or Nmap:

nmap --script ssl-enum-ciphers -p 443 yourdomain.com

Windows Server 2003 uses the SCHANNEL protocol for SSL/TLS. To disable SSL 2.0:

  1. Open Registry Editor (regedit.exe)
  2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

To ensure SSL 3.0 is properly enabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000001

While configuring SSL versions, consider these registry tweaks for stronger security:

# Disable weak ciphers
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

After making registry changes:

  1. Restart the server
  2. Check the SSL version using the methods mentioned earlier
  3. Test with various clients to ensure compatibility

Remember that while SSL 3.0 is more secure than SSL 2.0, modern security standards recommend using TLS 1.2 or higher. Consider upgrading your server if possible.