With the recent POODLE SSL3 vulnerability a number of sites have disabled the SSL 3 protocol. In some cases, they are also left supporting only the RC4 ciphers under TLS. Specifically these ciphers are the only ones supported on the server:
- TLS_RSA_WITH_RC4_128_SHA (
0x5) - TLS_RSA_WITH_RC4_128_MD5 (
0x4)
This Knowledge Base article has very useful information about protocol and cipher support for both clients and servers. http://support.microsoft.com/kb/245030
However, in my tests in using ServerXMLHTTP from MSMXL6.DLL it is clear from WireShark that neither of these RC4 ciphers are sent as part of the CLIENT HELLO and thus am unable to complete the TLS negotiation handshake. Attempting to force different ciphers using the registry hacks from the article above (and rebooting after changes) failed to impact the ciphers sent by ServerXMLHTTP.
Is there a way to make a configuration that would allow ServerXMLHTTP to connect via TLS and use either of the above RC4 ciphers?
BTW, I realize RC4 ciphers are no longer recommended nor secure. I have alerted those server admins about their lack of strong cipher support, but until they can make these changes, our systems are unable to complete the SSL handshake.
Thanks,
Jason