Disable-TlsCipherSuite -Name "TLS_RSA_WITH_3DES_EDE_CBC_SHA" does not remove the cipher suite from list

Thomas H. Gundel 0 Reputation points
2023-02-07T13:34:22.6833333+00:00

Hi,

I have quite the conundrum, when I run Disable-TlsCipherSuite -Name "TLS_RSA_WITH_3DES_EDE_CBC_SHA" on our exchange server, it executes as expected and returns an error when I attempt to run it again, indicating it is already disabled.

However, tests from SSLLab and running Get-TlsCipherSuite | fl -property CipherSuite, name shows, that it is, infact, still enabled. Further more it is being reported as an accepted cipher from BlackstoneOne in our IFCR report.

I have been searching for hours now and cannot find a deciesive answer, it appears that most are content with powershell returning an error as the indication it is disabled. I, however, need to be absolutely certain is it disabled.

Any and all help in this regard is highly appriciated as I' am at this point in time, stuck :(

PS C:\Windows\system32> Get-TlsCipherSuite | Format-Table -Property CipherSuite, Name

CipherSuite Name
----------- ----
      49200 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      49199 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      49192 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
      49191 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
      49172 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      49171 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
          0 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      49195 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      49188 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
      49187 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
      49162 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
      49161 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
        157 TLS_RSA_WITH_AES_256_GCM_SHA384
        156 TLS_RSA_WITH_AES_128_GCM_SHA256
         61 TLS_RSA_WITH_AES_256_CBC_SHA256
         60 TLS_RSA_WITH_AES_128_CBC_SHA256
         53 TLS_RSA_WITH_AES_256_CBC_SHA
         47 TLS_RSA_WITH_AES_128_CBC_SHA
         10 TLS_RSA_WITH_3DES_EDE_CBC_SHA
Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,067 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,368 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 43,926 Reputation points
    2023-02-09T09:04:13.8533333+00:00

    Hello,

    This is a common confusion, but it has been clarified in the official article from Microsoft:

    "The Get-TlsCipherSuite cmdlet gets an ordered collection of cipher suites for a computer that Transport Layer Security (TLS) can use."

    Reference: https://learn.microsoft.com/en-us/powershell/module/tls/get-tlsciphersuite?view=windowsserver2022-ps

    So, in fact even if Disabled, the ciphers will still be in the system.

    --If the reply is helpful, please Upvote and Accept as answer--