General links.
CSR/SSL:
Tools to apply best security practices for SSL and TLS:
https://www.nartac.com/Products/IISCrypto/Download
- Download and then click the “Best Practice” button. Uncheck TLS1.0 under Protocols, MD5 under hashes, Diffe-Hellman under Key exchange. Apply and reboot.
Disable SSLv3 and RC4 for IIS: https://samrueby.com/2015/06/08/how-to-disable-sslv3-and-rc4-ciphers-in-iis/
Disable SSLv3 : https://www.digicert.com/ssl-support/iis-disabling-ssl-v3.htm
Disable RC4, CRIME attack, etc. http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html. In particular look at the GitHub project: https://github.com/NWebsec/NWebsec.AzureStartupTasks/releases
Disable weak ciphers in IIS7: https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
Disable weak ciphers in Apache: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html Ripe standard settings:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”