Forefront TMG 2010 now supports the secure TLS renegotiation extension

The KB980346 update published today by Microsoft upgrades the underlying Windows SChannel used by Forefront TMG 2010 to support the secure TLS renegotiation extension.

This should be available in both the reverse web proxy(web server publishing) and for forward web proxy scenarios(when the HTTPS Inspection is used).

How to check for it(bellow TMG was installed on Windows Server 2008 R2 SE) ?

- For the reverse web proxy(web server publishing) scenario simply download the latest version of Opera(on Windows shown bellow), access the published secure web site with Opera and click the SSL padlock icon. In case a web site does not support it, Opera will show this(see bellow). Or if you want a more detailed scan, use SSL Labs, which will tell you if the TLS secure or insecure renegotiations are supported. Or use in reverse the forward web proxy scenario procedure(with a client that supports the TLS secure renegotiation(may vary how the client signals the support for this extension) and watch for TMG’s response).

opera_tmg_ssl_reneg

- For forward web proxy scenario(when the HTTPS inspection is used) take a Wireshark capture and note the 0x00ff “cipher suite”(TLS_EMPTY_RENEGOTIATION_INFO_SCSV) from the TLS 1.0 SSL 2.0 compatible TMG’s Client Hello.

tmg_sec_reneg_ext

The remote server, if supported, may reply with the 0xff01 extension.

tmg_sec_reneg_ext_https_insp

Comments (2) -

  • Gary

    9/27/2010 5:00:18 PM |

    Does know how to fix this on ISA 2006? I have installed said KB on an ISA 2006 and now according to SSL Labs, I support secure and insecure "Secure Renegotiation Supported Insecure Renegotiation Supported INSECURE" I do I disable the insecure renegotiation?

    • adimcev

      9/27/2010 8:49:31 PM |

      Hi Gary,

      This is expected, ISA is in Compatible Mode.
      You can put it in Strict Mode. See this:
      www.carbonwind.net/.../...gotiation-extension.aspx
      Do note that after that you need to patch all your clients, otherwise the unpatched ones(not presenting the secure reneg extension) will fail to connect.

      Thanks,
      Adrian

Comments are closed