22

Is there a difference between SSLv3 and TLSv1? How does IIS6.0 control what type of security is used for a website enabled with HTTPS?

MS says that there is a hierarchy in which the security and encryption level is negotiated before connection is established. What is this hierarchy?

Is SSLv3 available in IIS6.0 by default on Windows Server 2003?

Nishith
  • 593
  • 3
  • 6
  • 16
  • For IIS security related info: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/56bdf977-14f8-4867-9c51-34c346d48b04.mspx?mfr=true – fasih.rana Dec 22 '08 at 06:22
  • The most important difference is that POODLE affects SSLv3 but not TLS1.0 – Ben Voigt Oct 28 '14 at 23:43

1 Answers1

18

SSLv3 and TLSv1 are not the same, however TLSv1 is based on SSLv3.

This is a protocol which is backward compatible, and gives a way to determine which version to use according to the "handshake" that takes place between the client and the server.

Read more here (this helped me understand it better): http://en.wikipedia.org/wiki/Secure_Sockets_Layer

fasih.rana
  • 1,565
  • 1
  • 13
  • 23
  • Thanks. but what is the difference/advantage of TLSv1 over SSLv3 then? What is the hierarchy when the protocol is determined during the handshake - will the web server (IIS6.0) prefer TLSv1 over SSLv3? Can this be configured? – Nishith Dec 26 '08 at 09:51
  • 3
    I believe TLSv1 should be preferred over SSLv3 in modern browsers. It is my understanding that the client sends its "Hello" with its preferred/strongest/newest protocol version and the server will match if it can. Otherwise a weaker/older protocol will be negotiated. http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake_in_detail – jacobq Aug 22 '12 at 14:30
  • 1
    And right now everyone is scrambling to disable downgrade negotiation. – Ben Voigt Oct 28 '14 at 23:44