Down the rabbit hole, TLS/RSA AES 128 and 256 SHA support for Windows Server 2003
I had an interesting customer ask today, and learned some useful stuff to share about adding TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA support to Windows Server 2003.
In 2008, Microsoft published KB948963, described here Improving cipher security in Windows Server 2003 SP2 - Microsoft Support, a hotfix that added support for these ciphers to Windows 2003. This hotfix is no longer available from Microsoft.
This hotfix contains just two files, Rsaenh.dll and Schannel.dll plus Wrsaenh.dll and Wschannel.dll for the 64-bit versions. This will be important later.
Installing this update, as mentioned before, adds the new cipher support, but it breaks the systems so they won't be able to get client certificates from a Server 2008 CA if that CA has a SHA2 256 cert. That is fixed in another hotfix, KB968730, which is also not available from Microsoft. The KB968730 hotfix contains just two files, Crypt32.dll and Wcrypt32.dll.
So, all told, we want updates for (at least) these six files.
- Rsaenh.dll
- Wrsaenh.dll
- Schannel.dll
- Wschannel.dll
- Crypt32.dll
- Wcrypt32.dll
IMPORTANT! Whenever downloading hotfixes or patches from a third-party site, always confirm the file is digitally signed by Microsoft with a valid signature to confirm it has not been modified or faked.
The second two files make up the Secure Channel API and have been updated a number of times. The most recent one I found was MS15-055: Vulnerability in Schannel could allow information disclosure: May 12, 2015 - Microsoft Support. The download for this is KB3061518, available here: Microsoft Update Catalog KB3061518.
Sidebar: If you've ever wondered what life was like before cumulative updates, this is it. Picking-and-choosing specific security and non-security updates created a patchwork of different configurations and literally millions of different possible installed and not-installed combinations. It was awful, and I could not be happier that they moved to cumulative updates. Yes, the updates are bigger, but it is worth it not to have to deal with this.
Reminder: Windows 2003 is extremely very absolutely out of support. If you call Microsoft and ask them to help you fix it, they can't and won't. Take a snapshot first and be prepared for the worst. Even if it doesn't immediately fail, running unsupported software is a material security risk, and nothing mentioned above changes that. <Sales pitch>Part of my work is helping get ancient software running on new operating systems. If you need help with that, please reach out. </sales pitch>
I hope this helps someone else. Good luck.
Comments