Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
Consider the following scenario. The network is running a Cisco PIX 515E firewall. A user tries to access a Web page in Windows Internet Explorer 7 by using Security Sockets Layer (SSL) from a computer that is running Windows Vista. However, the user receives the following error message:
Internet Explorer cannot display the webpage
This issue does not occur if the user tries to access the same Web page from a computer that is running Microsoft Windows XP Service Pack 2 (SP2).
This issue occurs if the network is running Cisco PIX 515E firewall version 6.3(5). This particular version of the Cisco PIX 515E firewall is configured to use SSL cipher suites that support only DES encryption. By default, cipher suites that use DES encryption are turned off in Windows Vista. Therefore, a user cannot establish a SSL connection because a common cipher suite cannot be negotiated between Windows Vista and the firewall.
Upgrade deployments of Cisco PIX 515E firewall version 6.3(5) to a version that offers cryptographic support that is stronger than 56-bit DES. Contact Cisco to inquire about the availability of an update for the Cisco PIX 515E firewall that supports SSL with cipher suites that use 3DES encryption. For more information, visit the following Cisco Web site:
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.
If an upgrade is not possible, use Group Policy to enable 56-bit DES cipher suites in Windows Vista. This procedure is not intended as a long-term solution. Use this procedure only as a temporary workaround.
To enable 56-bit DES cipher suites in Windows Vista, follow these steps:
Click Start, type gpedit.msc in the Start Search box, and then click gpedit in the Programs list.
If you are prompted for an administrator password or confirmation, type your password or click Continue.
Under Computer Configuration in Group Policy Object Editor, expand Administrative Templates, expand Network, expand SSL Configuration Settings, and then click SSL Cipher Suite Order.
Review, and then follow the instructions that are displayed on the screen for how to enable SSL cipher suites.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.