I have bound a website on IIS7 to a Thawte SSL certificate.
Using https://www.ssllabs.com/ssltest/analyze.html? it shows that the only cipher suites supported are
Cipher Suites (SSLv3+ suites in server-preferred order, then SSLv2 suites where used)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) 128
and the only Protocol enabled is TLS 1.0.
However, when I switch the binding to a self-signed wildcard certificate, I am able to get this list:
Cipher Suites (SSLv3+ suites in server-preferred order, then SSLv2 suites where used)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_RC4_128_SHA (0x5) 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) 256
TLS_RSA_WITH_RC4_128_MD5 (0x4) 128
SSL_DES_192_EDE3_CBC_WITH_MD5 (0x700c0) 168
SSL_RC4_128_WITH_MD5 (0x10080) 128
And it shows TLS 1.0, SSL 3.0, SSL 2.0 (INSECURE) all enabled.
I have some questions:
Does the certificate have any say in which ciphers it will support?
Why does the wildcard certificate work with SSL 3.0 but not the CA issued certificate?
How should I reconfigure IIS/Windows to support SSL 3.0 on the Thawte certificate?