Reputation: 2303
Disabling SSL 2.0/3.0
Our security scans have came back with the following flaw.
SSL 2.0 deprecated protocol
Now I've told our security person this is either a server issue or something with our BigIP, or a false positive, since I've yet to see any information turning off SSL 2.0 in web.config, and as I'm only in control on what is in the website and not IIS, I don't believe this to be an issue, yet he is still throwing it back at me saying its a website issue that needs fixed.
Question I have is, am I correct to say there is nothing in the website I can do to fix this (setting in web.config) and it is a server issue (IIS), or most likely upgrading SSL etc.
Upvotes: 1
Views: 1727
Answers (1)
Reputation: 4618
Most security scans reports come with links next to each issue with directions on how to fix it. Maybe the security person is hiding something from you or just doesn't feel like dealing with the issue.
Anyways, you are correct -- there is no IIS or web.config setting that will fix the problem. Only a registry hack will do it:
http://support.microsoft.com/kb/187498
Upvotes: 1
Related Questions
- Deactivate TLS 1.0 and TLS 1.1 for website, not server
- IIS 7 Disabling "Require SSL"
- Disable SSL 3.0 Windows CE Web Server
- How to disable SSL v 3.0 on Azure Website
- What version of SSL does IIS 7 use by default, and how does one force it to use SSL v3?
- How to enable SSL on IIS 7 / Windows 7 64bit
- IIS v7 disabling SSL v 2.0
- ASP.NET MVC: How to disable SSL 2.0
- Enabling SSL in asp.net 4.0 and IIS 7.5
- Using SSLv3 in IIS 6.0