The Heartbleed Vulnerability is a serious SSL Bug that basically can allow a hacker to decrypt your SSL traffic. Network and Systems teams are racing to resolve vulnerabilites to their applications. I’ll focus on the impact to IIS hosted applications.
Does Heartbleed affect IIS SSL traffic? The short answer is no. The Windows Operating Systems use the Microsoft Schannel Provider to implement SSL, not OpenSSL. See the following MSDN link to see the list of cipher suites. But your application could still be vulnerable if your servers are behind a load balancer or Proxy Server and SSL is terminated at that device not IIS. Most load balancers and proxy servers are linux based and implement OpenSSL. F5 Local Traffic Managers are an example of this. If your running an F5 LTM make sure you review SOL15159.
How to Check Your Cipher Suite
If you need to determine what cipher suite your application is using, you can do that fairly easy using Network Monitor.
- Open Network Monitor and start a capture.
- On the same machine access the website in question using IE or any other browser over SSL. Stop the capture.
- Look for the Server Hello packet, this is where the server will set the Cipher Suite to be used.
- In the frame details drill into the SSL details, find the SSLHandshake, and then find the SSLCipherSuite. The Cipher Suite used will help you determine what SSL Provider was used on the server. The Cipher suite to the left came from an F5 OpenSSL provider.
- An IIS Cipher Suite will look similar to this. See the list of Windows Cipher Suites below.
- This is not a guarantee that you are not using OpenSSL, it only tells you what cipher suite is being used.
SChannel Cipher Suites