{"id":14980255,"url":"https://github.com/rylei-m/USU_2024_PS1_Script_For_SSL","last_synced_at":"2025-09-25T14:30:23.092Z","repository":{"id":254915567,"uuid":"843534749","full_name":"rylei-m/USU_2024_PS1_Script_For_SSL","owner":"rylei-m","description":"Powershell Script For Disabling SSL 2.0 and 3.0 and Enabling TLS 1.2/1.3","archived":false,"fork":false,"pushed_at":"2024-11-25T16:13:28.000Z","size":99,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-25T17:24:47.866Z","etag":null,"topics":["powershell-script","ps1-script","ssl-termination","tls","tls12","tls13"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rylei-m.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-16T18:19:14.000Z","updated_at":"2024-11-25T16:13:34.000Z","dependencies_parsed_at":"2024-09-14T12:33:00.580Z","dependency_job_id":"e5850faf-87eb-47b2-af7d-b17db091fb3a","html_url":"https://github.com/rylei-m/USU_2024_PS1_Script_For_SSL","commit_stats":{"total_commits":61,"total_committers":2,"mean_commits":30.5,"dds":"0.049180327868852514","last_synced_commit":"e86eb28b7b4fbf4c251326748c24ac7e86aab078"},"previous_names":["rylei-m/usu_2024_ps1_script_for_ssh","rylei-m/usu_2024_ps1_script_for_ssl"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rylei-m%2FUSU_2024_PS1_Script_For_SSL","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rylei-m%2FUSU_2024_PS1_Script_For_SSL/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rylei-m%2FUSU_2024_PS1_Script_For_SSL/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rylei-m%2FUSU_2024_PS1_Script_For_SSL/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rylei-m","download_url":"https://codeload.github.com/rylei-m/USU_2024_PS1_Script_For_SSL/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234084927,"owners_count":18777304,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["powershell-script","ps1-script","ssl-termination","tls","tls12","tls13"],"created_at":"2024-09-24T14:01:31.212Z","updated_at":"2025-09-25T14:30:22.696Z","avatar_url":"https://github.com/rylei-m.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PS1 Script for SSL\n## Powershell Script For Disabling SSL 2.0 and 3.0 and Enabling TLS 1.2/1.3\n\nScript created to disable SSL Version 2.0 and 3.0 and Enable the most viable version of TLS. \n\nOpen SSL 2.0 and 3.0 are affected by several cryptographic flaws that can become harmful to your computer and network if\nexploited. Attacks may use these flaws to conduct man-in-the-middle attacks or to decrypt communications between\naffected services and clients. \n\nA Gigamon article by Dan Daniels provides a brief statement on why this script is necessary. \"Back in 1995, when the \ninternet was still figuring itself out, Netscape decided to address growing concerns over internet security by creating \na form of encryption that would allow data to travel safely without the risk of being intercepted — Secure Socket Layers. \nSSL 1.0 was flawed, and never saw general release, but SSL 2.0 followed shortly afterward, and was then superseded by \nthe much improved SSL 3.0. This final SSL version became the standard for internet encryption for nearly two decades. \nUnfortunately, as technology improved, so did the capabilities of various online threat actors. In late 2014, the Google \nSecurity Team detected a major security flaw in SSL 3.0, necessitating a new approach to communication encryption. TLS \nwas the solution.\" (Daniels)\n\n### Command to Run the Script:\n```\npowershell.exe -ExecutionPolicy Bypass -File \"C:\\Your\\Path\\To\\File\"\n```\nFor more information on running/testing see [TestingInstructions.md](/home/rylei/Documentation/USU_2024_PS1_Script_For_SSH/Docs/Testing/TestingInstructions.md)\n\n### Vulnerabilities Include:\n- RegreSSHion\n- Insecure Padding Scheme with CBC Ciphers\n- Insecure Session Renegotiation and Resumption schemes\n- Command Injection\n- Possible Unauthenticated Code Execution\n\n### Transport Layer Security (TLS)\nTLS is a cryptographic protocol designed to provide communication security over a computer network. \nAims to provide security, privacy, and authentication. For security and consistency purposes we want to upgrade to at \nleast TLS 1.2 but ideally version 1.3. However, some devices are incompatible with version 1.3 so we will continue \nsupport for 1.2. \n\n#### About TLS 1.2\nTLS 1.2, released in 2008, was developed with security and performance in mind. It remained the industry standard until \nthe release of 1.3 in 2018. TLS 1.2 is still functioning. However, it contains obsolete cipher suites that are \nvulnerable to security attacks.\n\nhttps://blog.gigamon.com/2021/07/14/what-is-tls-1-2-and-why-should-you-still-care/\n\n#### About TLS 1.3\nTLS 1.3, released in August 2018, has been widely adopted and is considered the strongest and safest version of the TLS \nprotocol to date. It is supported by major browsers and operating systems, and is recommended for use in secure \ncommunication protocols.\n\n- Elimination of obsolete cryptographic algorithms\n- Enhanced security over older versions\n- Encryption of as much of the handshake as possible\n- Use of just 3 cipher suites with perfect forward secrecy (PFS), authenticated encryption, and modern algorithms\n- Improved privacy through minimal cleartext protocol bits on the wire\n- Content length hiding enabled by minimal cleartext protocol bits\n\nhttps://www.a10networks.com/glossary/key-differences-between-tls-1-2-and-tls-1-3/ \\\nhttps://www.microsoft.com/en-us/security/blog/2020/08/20/taking-transport-layer-security-tls-to-the-next-level-with-tls-1-3/ \\\nhttps://www.appviewx.com/blogs/why-is-tls-1-3-better-and-safer-than-tls-1-2/\n\n### Unified Hello Removal\nUnified hello is a message formater that came out with SSL 2.0. With the removal of SSH 2.0 it is no longer necessary \nand is being removed for storage space optimization. \n\nhttps://security.stackexchange.com/questions/59460/what-is-multi-protocol-unified-hello-and-what-are-the-impacts-of-disabling-ena\n\n### PTC 1.0 Removal\nPrivate Communications Technology (PTC) 1.0 is a protocol developed by Microsoft in the mid-1990s to address security \nflaws in SSL 2.0. With the removal of SSL 2.0 PTC is no longer necessary.\n\nhttps://en.wikipedia.org/wiki/Private_Communications_Technology\n\n### Insecure Cipher Removals\n- RC4: A bulk cipher listed known for its weaknesses and vulnerabilities.\n- 3DES: A bulk cipher considered insecure due to its slow key generation and potential for brute-force attacks.\n- DES: A cipher withdrawn as a standard by the National Institute of Standards and Technology (NIST) in 2005 due to its short key-lengths and weaknesses.\n- Anonymous key exchanges: Generally vulnerable to Man-in-the-Middle (MitM) attacks.\n- CBC mode (without GCM): The CBC encryption algorithm, used in TLS 1.0, SSL 3.0, and lower, is vulnerable to plain-text attacks and the BEAST attack.\n- Export ciphers: Ciphers used for export from the United States in the 1990s, now considered insecure due to their weaknesses and vulnerabilities.\n\nhttps://zofixer.com/what-is-insecure-ssl-insecure-cipher-suite-vulnerability/ \\\nhttps://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/ \\\nhttps://docs.datadoghq.com/code_analysis/static_analysis_rules/go-security/tls-cipher/ \\\nhttps://pleasantpasswords.com/info/pleasant-password-server/f-best-practices/secure-and-harden-your-server-environment/encryption-protocols-and-ciphers\n\n### Secure Ciphers Install\n- AES: Advanced Encryption Standard (AES) is a block cipher algorithm developed by the National Institute of Standards and Technology in 2001. It is considered as industry standard. \n- RC4: Insecure Cipher but Required for Legacy Users\n- 3DES: Insecure Cipher, only supported Cipher by Windows XP\n\nhttps://www.kiteworks.com/risk-compliance-glossary/aes-256-encryption/ \\\nhttps://www.geeksforgeeks.org/advanced-encryption-standard-aes/\n\n### Secure Hashes\nSecure Hashes, also known as Cryptographic Hash Functions, are algorithms that take variable-length input data and \nproduce fixed-length, unique digital message digests.\n- SHA-2: A family of hashes including SHA-224, SHA-256, SHA-384, and SHA-512. Considered Secure except against length extension attacks. \n\nhttps://en.wikipedia.org/wiki/Cryptographic_hash_function \\\nhttps://brilliant.org/wiki/secure-hashing-algorithms/ \\\nhttps://www.encryptionconsulting.com/education-center/what-is-sha/ \\\nhttps://cryptobook.nakov.com/cryptographic-hash-functions/secure-hash-algorithms \\\nhttps://csrc.nist.gov/projects/hash-functions\n\n### Key Exchange Algorithms\nKEAs are cryptographic protocols used to securely establish a shared secret key between two or more parties over an \ninsecure communication channel.\n- Diffie-Hellman Key Exchange: A secure key exchange method first introduced in 1976. It relies on discrete logarithms in a finite field. \n- Elliptic Curve Diffie-Hellman (ECDH): A variant of Diffie-Hellman that uses elliptic curves for key exchange.\n- RSA: An exchange that uses asymmetric cryptography.\n\nKey Exchange Vulnerabilities:\n- Man-in-the-Middle Attacks\n- Key Exchange Protocol Vulnerabilities\n\nMicrosoft Issued Security Advisory: 3174644\n- Updated Support for Diffie-Hellman Key Exchange Fix From 2016, May Need Revisit in the Future\n- https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644\n\nhttps://www.jscape.com/blog/key-exchange \\\nhttps://www.geeksforgeeks.org/implementation-diffie-hellman-algorithm/ \\\nhttps://bluegoatcyber.com/blog/defining-key-exchange-challenges-with-encryption/ \\\nhttps://en.wikipedia.org/wiki/Key_exchange\n\n### Cipher Suites\nCipher Suites are sets of instructions on how to secure a network through SSL or TLS. They provide information about how \nto communicate secure data when using network protocols. \n\nCipher Suites are a combination of the following:\n- Key Exchange Algorithms\n- Authentication/Digital Signature Algorithms\n- Bulk Encryption Algorithms\n- Message Authentication Code Algorithms\n\nhttps://venafi.com/blog/what-are-cipher-suites/ \\\nhttps://www.keyfactor.com/blog/cipher-suites-explained/\n\n### Disabling TLS 1.0 and Adding 1.2/1.3\nTLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. \nEvolving requirements and new security vulnerabilities in TLS 1.0 incentivise disabling TLS 1.0 and moving to 1.2 or 1.3.\n\nhttps://learn.microsoft.com/en-us/security/engineering/solving-tls1-problem \\\nhttps://stackoverflow.com/questions/36265534/invoke-webrequest-ssl-fails\n\n### Default Secure Protocols\n- TLS 1.2: Enabled by default in Windows 8/Windows Server 2012 and higher.\n- TLS 1.1: Not enabled by default in earlier versions of Windows (Windows 7, Windows Server 2012), but can be \nconfigured manually.\n- SSL 3.0 and TLS 1.0: Enabled by default in earlier versions of Windows (Windows 7, Windows Server 2012), but it’s \nrecommended to disable them due to security concerns.\n\n\n- DefaultSecureProtocols Value\tDecimal value  Protocol enabled\n- 0x00000008 -                               8  Enable SSL 2.0 by default\n- 0x00000020  -                             32  Enable SSL 3.0 by default\n- 0x00000080   -                           128  Enable TLS 1.0 by default\n- 0x00000200    -                          512  Enable TLS 1.1 by default\n- 0x00000800     -                        2048  Enable TLS 1.2 by default\n- 0x00002000      -                       8192  Enable TLS 1.3 by default\n\nhttps://knowledge.digicert.com/solution/enable-tls-1-2-as-default-protocols-in-winhttp-windows-2008-and-2012-standard-server \\\nhttps://support.laserfiche.com/kb/1013919/raw \\\nhttps://superuser.com/questions/1080317/how-to-set-tls-protocols-as-default-after-applying-kb3140245\n\n### About Windows Update KB3140245\nApplications and services that are written by using WinHTTP for SSL connections that use the \nWINHTTP_OPTION_SECURE_PROTOCOLS flag can't use TLS 1.1 or TLS 1.2 protocols. This is because the definition of this flag \ndoesn't include these applications and services.\n\nThis update adds support for DefaultSecureProtocols registry entry that allows the system administrator to specify which \nSSL protocols should be used when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used.\n\nTo apply this update, the DefaultSecureProtocols registry subkey must be added.\n\nhttps://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392 \\\nhttps://www.altium.com/documentation/knowledge-base/altium-designer/update-gives-error-this-application-requires-windows-hotfix-kb3140245?srsltid=AfmBOoqR6KtPjKb0qscR54o1VOx1g8L-wgZMxunOi0Mo63dlZySRgacZ\n\n#### Sources to Get SSL 2.0 and 3.0 on VM\nThe early releases of Firefox would have supported SSL 3.0\n- https://ftp.mozilla.org/pub/firefox/releases/\n\nIIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key \nexchange algorithms on Windows Server 2008, 2012, 2016, 2019 and 2022. It also lets you reorder SSL/TLS cipher suites \noffered by IIS, change advanced settings, implement Best Practices with a single click, create custom templates and test \nyour website.\n\n- https://www.nartac.com/Products/IISCrypto\n\nIn your configuration file(s), find the entry \"SSLProtocol\" and modify it to look like: \\\nSSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1\n- https://support.globalsign.com/ssl/general-ssl/how-enable-or-disable-ssl-and-tls-versions\n\n### Extra Sources:\nhttps://blog.gigamon.com/2021/07/14/what-is-tls-1-2-and-why-should-you-still-care/ \\\nhttps://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12 \\\nhttps://help.defense.com/en/articles/6302795-ssl-version-2-and-3-protocol-detection-windows-vulnerability \\\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6387 \\\nhttps://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frylei-m%2FUSU_2024_PS1_Script_For_SSL","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frylei-m%2FUSU_2024_PS1_Script_For_SSL","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frylei-m%2FUSU_2024_PS1_Script_For_SSL/lists"}