Because it’s about time I did it. Sorry people with browsers that still don’t support SNI (not that they can read this), but it’s time to move forward.
In light of today’s news that OpenSSL has been pretty broken for the best part of a year (see: here, amongst others), I decided to revisit the SSL configuration on my Forefront TMG servers with regard to their published websites. Digging around the internet I came across several useful pieces of information that I thought I’d share.
First up is Qualys’ SSL Server Test tool @ https://www.ssllabs.com/ssltest/index.html, which will give you a report on the state of your SSL setup, mine had some issues mostly due to oversights on my part.
Next, is this article on ISAServer.org which runs you through some non-obvious-but-crucial security tweaks you can make to your TMG server to improve its protocol support and avoid a couple of renegotiation issues.
Finally, I was directed to the IIS Crypto tool from Nartac Software, which doesn’t do anything you couldn’t do by hand (and does go back over a couple of protocol tweaks from the previous link), but does make it one hell of a lot easier. Don’t be fooled by the name, the windows crypto settings it changes are server-wide and don’t just affect IIS.
So, with a couple of hours of work I went from an F (Oops, that’ll teach me to forget about disabling SSLv2) to an A and now properly implement PFS for clients that support it.