From time to time it is worth checking the validity of an SSL certificate installation for any vulnerabilities due to (for instance) – obsolete SSL Ciphers; expiry date; revocation checks; heartbeat vulnerability; etc
DigiCert produce an easy tool to use to check this information.
Click on digicert.com/help and enter the domain name or IP address to check the SSL certificate presentation.
For reference while investigating Event ID: 36887 Shannel Error 46 alerts in the System event log (A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46) we saw the following results of incorrect cyphers for mail.sealionshippping.co.uk
Some versions of Windows Server (including Windows Server 2008 using IIS 7 & Server 2012) allow SSL 2.0 and SSL 3.0 by default. Unfortunately, these are insecure protocols and you will fail a PCI Compliance scan if you don’t disable them. To properly secure your server and ensure that you pass your PCI-DSS scans, you will need to disable SSL 2.0, SSL 3.0 and disable weak ciphers. Other algorithms are also insecure and current ones may be deprecated in the future. Make sure to follow SSL Deployment Best Practices when determining which protocols and ciphers to enable.
The simplest way to disable and correct insecure protocols and ciphers is to use a GUI. Because Windows doesn’t provide such an interface, you’ll need to use a tool like Nartac’s IIS Crypto tool .
Checking the Exchange server with Nartac’s IIS Crypto tool we can see we are not using SSL 2.0 or SSL 3.0 but we are using a number of obsolete RC cyphers installed by default
By clicking on Best Practices button, the IIS was set to the correct settings (as below)
And now checking using digicert.com/help produces the following confirmation that the certificate is installed correctly.
Note that the problem with TLS error that we originally investigating was not the result of an incorrectly installed SSL certificate but because Mimecast checks inbound emails against spam and viruses by using TLS to hand out the email to our server via the “Default ServerName” Receive connector. The default FQDN setting for that connector is “servername.domain” and this SMTP connector has a Self-signed Certificate for the server name only.
There is no way to change the name with one using a public certificate – so we disabled the SCHANNEL Event logging completely https://support.microsoft.com/en-us/kb/260729
References:-
Event ID: 36887 Schannel Error 46 – Exchange 2010
Troubleshooting Certificate Status and Revocation
DigiCert Certificate Utility for Windows
The free DigiCert Certificate Utility for Windows is an indispensable tool for administrators and a must-have for anyone that uses SSL Certificates for Websites and servers or Code Signing Certificates for trusted software.