Windows Vista Harden Security (Part 2)
If you are using Windows Vista as your primary operating system, you are likely to encounter problem in accessing some SSL enabled sites, which you have been surfing smoothly using Windows XP in the past. Internet Explorer 7 in Windows Vista will simply throw an error message saying "Internet Explorer cannot display the webpage” when you browse to certain HTTPS URLs. I am NOT talking about the warning of an un-trusted or an expired certificate. If you encounter this problem before, you know how frustrating you can get. ;)
To understand this problem, let's start with the fundamentals of SSL communication.
SSL communication starts with a simple handshake between server and client, in which, asymmetric encryption is used to exchange symmetric encryption key or also known as session key. Session key is used in subsequent communication between client and server to encrypt and sign the HTTP packets. SSL has been evolved over many versions, starting from 1.0, then 2.0 and now we have SSL 3.0 as well as TLS 1.0, also known as SSL/TLS. Both SSL 3.0 (http://home.netscape.com/eng/ssl3/draft302.txt), and TLS 1.0 (RFC2246) with INTERNET-DRAFT allow different asymmetric / symmetric encryption and hashing algorithm to be used within SSL/TLS session.
In Windows Vista operating system, cipher suites – pre-defined combination of encryption and hashing algorithm use for SSL communication, that uses DES encryption are disabled by default, thus, browsing to SSL sites which supports only DES encryption will result in the above-mentioned error.
The ideal solution would be to reconfigure the web site to support other encryption algorithm such as AES, or 3DES other than the DES. But unfortunately, we won’t have much say over how the web server is setup or being configured, and hence, the only workaround is to configure our Windows Vista to support DES encryption over SSL/TLS communication till the SSL site is updated to use other algorithms.
To enable DES support for SSL/TLS in Windows Vista, try the following steps at your own discretion.
- Go to Start Menu, and type gpedit.msc in the Start Search and press <ENTER>.
There might be an UAC elevation prompt. Just allow the action and proceed with the next step. - Under Computer Configuration in Group Policy Object Editor, expand Administrative Templates, expand Network, expand SSL Configuration Settings, and then double-click SSL Cipher Suite Order.
- Select Enable and append “TLS_RSA_WITH_DES_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,” at the beginning of the pre-populated string value. Beware of the ending comma and there should not be any embedded space inside the string.
- Click OK and restart your computer. (Note: gpupdate command will update the Group Policy settings but reconfiguration of SChannel.dll requires restart.)
Here is an alternative solution to those who can't get their hands on gpedit.msc (Vista Home Basic/Premium users), but this solution involves risk as you will need to edit registry value directly.
- Launch "Registry Editor" (regedit.exe)
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\
Configuration\SSL\00010002
(If the key does not exist, you will have to create accordingly) - Create String registry value and name it "Functions"
- Set its value to
"TLS_RSA_WITH_DES_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_RC4_128_MD5,
SSL_CK_RC4_128_WITH_MD5,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5,
TLS_RSA_WITH_NULL_MD5,TLS_RSA_WITH_NULL_SHA"
(There should not be any line break nor embeded space) - Quit the Registry Editor and restart the system
If you trust me 
, you can download the attachment from this post and apply the registry patch. That would be the easiest way.
After the restart, you should be able to happily browse the SSL sites which you were not able to do so in Windows Vista.
References:
http://support.microsoft.com/kb/929708
http://support.microsoft.com/kb/245030
This is the price you have to pay for more secure operating system.