Share via

Configured Cipher suite order not applied

Nicusor Adrian Pelivan 41 Reputation points
2022-10-21T14:42:01.837+00:00

Hello,

I have a 2012R2 server in which I configured the cipher suite order policy with a list of 12 preferred cipher. Rebooted the server, the SSL 00010002 reg key is configured correctly.
I took a trace with wireshark and noticed that, when using TLS, the server is not proposing the ciphers that are configured in the policy. It proposes the default ones and because of this, a connection that i need is not working as the remote server is not accepting any of these proposed ciphers.
The cipher suite list is written correctly, with comma after each cipher, no spaces.

Does anybody have any idea what could be wrong? Is there any policy that may overwrite the cipher suite order configured?

Thank you!

Windows for business | Windows Server | Devices and deployment | Configure application groups
Accepted answer
  1. Anonymous
    2022-10-27T07:53:03.51+00:00

    Hello NicusorAdrianPelivan-5582,

    Thank you for posting in our Q&A forum.

    Whether this 2012R2 server in one domain or in workgroup, if this machine is in one domain, maybe the domain policy overwrites the cipher suite order.

    If this machine is only in workgroup instead of in any domain, please tell us the way you configured cipher suite order
    (Local group policy or Registry).

    Local Group policy

    Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.

    OR Registry

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

    Please check the cipher suite order via PS command and check the result.

    Get-TlsCipherSuite

    For more information, please refer to links below.

    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

    https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls

    Meanwhile (I think it is important), different Windows versions support different TLS cipher suites and priority order. See Cipher Suites in TLS/SSL (Schannel SSP) for the default order supported by the Microsoft Schannel Provider in different Windows versions.

    https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

    Cipher suites can only be negotiated for TLS versions which support them. The highest supported TLS version is always preferred in the TLS handshake.
    For example, SSL_CK_RC4_128_WITH_MD5 can only be used when both the client and server do not support TLS 1.2, 1.1 & 1.0 or SSL 3.0 since it is only supported with SSL 2.0.

    We can check cipher suites are enabled and in this priority order by default by the Microsoft Schannel Provider and cipher suites are supported by the Microsoft Schannel Provider, but not enabled by default in the following link.

    https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.