Disabling SSL v3.0 and RC4

Paul Morrison's Avatar

Paul Morrison

13 Nov, 2017 04:18 PM

After deploying Octopus Deploy server to our Azure as a VM, our security team ran a standard Qualys scan which raised concerns that the product was supporting both SSL v3.0 and RC4. According to this article https://octopus.com/blog/poodle it states "From what I understand, IIS and HTTP.sys use whatever protocols are supported by SChannel, which means they'll allow SSL 3.0. It looks like a registry change is necessary to disable SSL 3.0 in SChannel in order to prevent IIS/HTTP.sys from using it."

So, I've changed the registry setting for SCHANNEL and CIPHERS as per the MS notes on how to disable SSL v3.0 and RC4 (see attached screenshot). However, it seems that the Octopus web server is completely ignoring these settings and SSLv3.0 is actually still enabled. How can I disable SSLv3.0 and RC4 completely?

  1. Support Staff 1 Posted by Lawrence Wilson on 14 Nov, 2017 05:13 AM

    Lawrence Wilson's Avatar

    Hi Paul,
    Thanks for reaching out, I'm sorry to hear you're having issues when disabling SSL v3.0 and RC4 support on your Octopus server. Can I please confirm if you have performed a full server reboot after making the change to disable SSL v3.0 and RC4?

    Kind Regards,
    Lawrence.

  2. 2 Posted by Paul Morrison on 14 Nov, 2017 09:41 AM

    Paul Morrison's Avatar

    Hi Lawrence,

    I can confirm I did perform a full reboot of the server after the registry change.

    Regards,
    Paul Morrison

  3. Support Staff 3 Posted by Lawrence Wilson on 14 Nov, 2017 11:58 PM

    Lawrence Wilson's Avatar

    Hi Paul,
    Thanks for keeping in touch, In this case I believe one possible solution could be to disable the SSLv3 and RC4 change using an application called IIS Crypto

    IIS Crypto is a third party application used to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows and it might be able to assist you. Please ensure that you backup your Octopus server including the Windows registry before making any changes though.

    I am interested to know if this has been helpful for you.

    Kind regards,
    Lawrence.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • Octopus-SSL.jpg 39.8 KB
  • Octopus-SSL-Results.jpg 39.2 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac