IIS Crypto... What is the point of "Client" settings? - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > Enterprise Security
Click Here to Login
Reply
 
Thread Tools Display Modes
 
Old 04-07-2020, 09:57 PM   #1 (permalink)
Newb Techie
 
Join Date: Apr 2020
Location: UK
Posts: 1
Default IIS Crypto... What is the point of "Client" settings?

There's registry keys that IIS Crypto changes that are for the server AND the client.

If I set the server side to only accept TLS 1.2, what effect does ticking/unticking the client ciphers have?

What I don't get is - if the server's set to use TLS 1.2 at the lowest for "Server", and the server's "Client" settings are TLS 1.1, and TLS 1.0... what on earth would that do with the handshake?

Does that mean the server only replies using TLS 1.2, but the client can talk to the server with TLS 1.1, and TLS 1.0?
__________________

__________________
SarahC is offline   Reply With Quote
Old 04-10-2020, 06:25 PM   #2 (permalink)
i2D
i 2 D 2
 
i2D's Avatar
 
Join Date: Jan 2015
Location: Earth
Posts: 1,827
Default Re: IIS Crypto... What is the point of "Client" settings?

Hey Sarah.

If you set server to use TLS 1.2 only, then it will only make outbound connections on TLS 1.2 and accept inbound connections on TLS 1.2

Therefore, if a client is set to 1.0, 1.1 and 1.2 , it may try all 3 (depending on the application support) until the DST server accept one (being TLS 1.2)

You need to do alot of testing if you want to disable SSL/TLS as some apps may not support TLS 1.2 yet.
__________________

__________________
i2D is offline   Reply With Quote
Old 04-14-2020, 08:47 AM   #3 (permalink)
Private Joker
 
carnageX's Avatar
 
Join Date: Feb 2007
Location: South Dakota
Posts: 24,978
Default Re: IIS Crypto... What is the point of "Client" settings?

Quote:
Originally Posted by i2D View Post
Hey Sarah.

If you set server to use TLS 1.2 only, then it will only make outbound connections on TLS 1.2 and accept inbound connections on TLS 1.2

Therefore, if a client is set to 1.0, 1.1 and 1.2 , it may try all 3 (depending on the application support) until the DST server accept one (being TLS 1.2)

You need to do alot of testing if you want to disable SSL/TLS as some apps may not support TLS 1.2 yet.
Pretty much this.

The company I work at recently switched servers to only TLS 1.2, and we've been having to update older applications that broke because of it; they did not support TLS 1.2, so we had to add support to them.
__________________
Laptop: MSI GT70 2OC-059us | i7-4700MQ | 16GB | GTX 770m | 500GB SSD / 750GB HDD | 17.3" | Win10 Pro
Desktop: 4690k | 12GB g.Skill RipJaws | GTX 970 | 520hx | Z87X-UD4H | Corsair Vengeance C70 | Corsair H110 | Acer 25" | Acer 22" | Win10
Mobile: Google Pixel XL


If I help you, or you just like what I said, rep me by clicking the under my post
carnageX is offline   Reply With Quote
Reply

Tags
iis, ssl, tls

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Second 970 or new 1070/80 or wait a year. Crypto? ckop11 System Upgrades 1 01-26-2018 12:05 AM
'Severe' OpenSSL vuln busts public key crypto Osiris Viruses, Spyware and Malware 0 03-05-2010 12:01 PM
Crypto browser plug-in aims for simplicity Osiris Microsoft Windows and Software 0 08-27-2006 05:52 PM



All times are GMT -5. The time now is 07:34 PM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2020, vBulletin Solutions, Inc.