lennybacon
commented
4 years ago Dear @april is the generator dead? The PR and my question what needs to be done from your perspective were unanswered for month...
Closed lennybacon closed 3 years ago
lennybacon
commented
4 years ago Dear @april is the generator dead? The PR and my question what needs to be done from your perspective were unanswered for month...
april
commented
4 years ago No, it's not dead, I just don't know if I feel comfortable recommending a giant blob of command line commands to run, especially without a good way to undo it.
NoNameForMee
commented
4 years ago I have not looked through the full details of this one MR (which appears related to issue #54), however I came across something similar by Alexander Hass, available at: https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12
The script provided over there includes support for other installed OS & IIS versions as well as a sort of "reset" script. Perhaps it would be possible to make some similar here as well... Or perhaps reach out to Alexander Hess and have him help out/contribute (as the script on his website is strictly speaking copyrighted by Alexander Hess).
lennybacon
commented
4 years ago Would be great to keep this going. If you like further assistance we could also reach out to MSFT folks...
april
commented
4 years ago If Microsoft has a recommended and supported way to do (and undo) all this, I'd happily add it.
I just don't want people to yell at me if a bunch of scripts screw up their machine. :)
arnydo
commented
4 years ago If Microsoft has a recommended and supported way to do (and undo) all this, I'd happily add it.
I just don't want people to yell at me if a bunch of scripts screw up their machine. :)
Would it be more appropriate to simply provide the list of recommended ciphers so that they can be input into the appropriate Group Policy? Here is the documentation on setting the supported ciphers via GPO.
The generator could return the properly formatted, comma-separated, list of ciphers that can be copied and pasted into the GPO.
Example: Generator returns:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256Paste into GPO:
lennybacon
commented
4 years ago I contacted some ppl at MSFT but there seems to be nobody feeling responsible as there is a overlap of IIS and SCHANNEL. Also nobody I contacted saw the need/goal/benefit in this project so we cannot expect support from them.
I really like the idea of GPOs, as it is the default management/administration path and is also enterprise compatible.
With the GPOs its is also possible to create an XML file
arnydo
commented
4 years ago I agree, I feel this is an excellent resource to be able to go to and retrieve the latest "recommended" TLS settings for each of the service that we may have deployed. Considering the uniqueness of IIS/SCHANNEL/Windows there should really be, at a minimum, a listing of the current recommended settings. This doesn't necessarily have to be the actual XML file of the settings or a series of PowerShell scripts, but I think it should certainly be considered.
I do like the XML idea. Could simply have the template spit out the XML data that can be copied into the Registry section of the GPO.
april
commented
4 years ago I mean, the recommendations are both in the JSON file that can be programatically interacted with as well as the Server Side TLS Guidelines:
https://wiki.mozilla.org/Security/Server_Side_TLS
What would the listing say that isn't already in the article?
arnydo
commented
4 years ago I mean, the recommendations are both in the JSON file that can be programatically interacted with as well as the Server Side TLS Guidelines:
https://wiki.mozilla.org/Security/Server_Side_TLS
What would the listing say that isn't already in the article?
Honestly, I didn't notice the JSON version. That would suffice in our case. Considering there doesn't seem to be a simple method to address IIS/SCHANNEL/Windows in a clean way.
Thanks for pointing this out @april .
nemchik
commented
4 years ago This kind of feels like it might be more successful as a PowerShell module that could be installed from the PowerShell gallery. You may also have a look at https://www.nartac.com/Products/IISCrypto/ (although I wish it were open source)
Firefishy
commented
3 years ago I agree with @nemchik , the https://www.nartac.com/Products/IISCrypto/ is a much better way to manage this on Windows. Giving users a large blob of powershell is just too scary with no simple/safe revert if something goes wrong.
My humble suggestion would be to list windows as an option, but add some text similar to https://github.com/mozilla/ssl-config-generator/blob/master/src/templates/partials/nosupport.hbs and suggest they look at https://www.nartac.com/Products/IISCrypto/
nemchik
commented
3 years ago I agree with @nemchik , the https://www.nartac.com/Products/IISCrypto/ is a much better way to manage this on Windows. Giving users a large blob of powershell is just too scary with no simple/safe revert if something goes wrong.
My humble suggestion would be to list windows as an option, but add some text similar to https://github.com/mozilla/ssl-config-generator/blob/master/src/templates/partials/nosupport.hbs and suggest they look at https://www.nartac.com/Products/IISCrypto/
Just to add a bit, I love IISCrypto, but I don't think it should be relied on as a mechanism to apply settings from here. Sure it probably could work, but since there's no telling how that program might change over the years and how that might affect its ability to apply settings provided here I would not view it as a viable long term solution. Powershell on the other hand should be pretty straightforward. Having the option to apply changes or revert to Windows built in standard settings should be plenty.
Running a powershell script is no more complicated than configuring apache or nginx.
Firefishy
commented
3 years ago Just to add a bit, I love IISCrypto, but I don't think it should be relied on as a mechanism to apply settings from here. Sure it probably could work, but since there's no telling how that program might change over the years and how that might affect its ability to apply settings provided here I would not view it as a viable long term solution. Powershell on the other hand should be pretty straightforward. Having the option to apply changes or revert to Windows built in standard settings should be plenty.
Running a powershell script is no more complicated than configuring apache or nginx.
My suggestion would be to add an IIS radio button and have something like the following text:
# IIS server SSL configuration cannot be set using a text configuration file and is unsupported by this tool.
#
# But there are other options available:
#
# IISCrypto: https://www.nartac.com/Products/IISCrypto/ (easiest)
# Powershell Script: https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12
# Microsoft Documentation: https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel Beside the fact that IISCrypto is a handy tool...
IMHO a closed source tool is always more scary that scripts or open source where I can see what it actually does.
🤷♂️
lennybacon
commented
3 years ago I'll keep an eye on this issue as it is probably related.
Beside that I totally fine to close this thread.
Here is support for IIS on Windows 10/2019 1809 and above