iis smtp nntp: All,

Is there a way to make Windows 2003 IIS 6 support 256 bit TLS? As far as I
have read, IIS6 does not support it. I really need this up and running ASAP!
Do I need to use Apache to do this?

If there is a way for IIS 6, please follow up with info and links if
possible.

Thanks,

FastEddie

I assume you're talking about one of the 256-bit AES cipher suites that have
been defined for use with the TLS protocol? These are not currently
supported by the TLS implementation that's integrated into Windows, and as
such these cipher suites are not currently supported by IIS nor by IE. This
situation may change at some point in the future, but I have no idea as to
when. I mean, it's not like I work for Microsoft or anything. :-)

Why do you require this feature, anyway? In the application threat models
that I've seen, the vulnerability of 128-bit encryption is typically nowhere
near the top of the list. If you were to elaborate a little bit, then you
might obtain a more useful answer, either from me or someone else...

Please feel free to restrict all further responses to this thread to the
microsoft.public.security.crypto newsgroup, as that's the one most relevant
to this subject.

Regards,
John



[quoted text, click to view]

See also:
http://www.microsoft.com/technet/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.security.crypto&tid=d1dc1340-e004-4da9-97d7-a7d4ba5fd3c0&cat=en-us-technet-security&lang=en&cr=US&sloc=en-us&m=1&p=1

One of the reasons some of us are hoping for AES in Microsoft SSL is that
people (often competitors) are starting to knock (with good reason) Microsoft
SSL as being behind the curve. Almost all major SSL implementations
including those from Sun, OpenSSL and many other commercial SSL stacks for
Windows already include AES support. When people figure out that Microsoft
SSL lacks the AES algorithm, it usually comes as a surprise.

One of the other reasons some of us are hoping for AES in Microsoft SSL is
that it a FIPS 140 approved algorithm. Several years ago my company ended up
writing an AES library (that subsequently earned FIPS 140-2 validation)
because we couldn't wait for Microsoft to implement AES and get it approved.
Now that Microsoft finally has a FIPS-validated AES module, we're stuck
waiting for them to implement it in SSL so people who are stuck with 3DES as
their only FIPS-approved algorithm can move to something better.

(Feel free to kick me a private response at
"jonathan.lampe@standardnetworks.com" too.)

[quoted text, click to view]