Enable a specific Cipher Suite on Windows Server 2019

Marco 0 Reputation points
2024-01-18T11:50:32.9933333+00:00

Hi, in order to maximize compatibility with some old clients inside our infrastructure we need to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA Cipher Suite on our webserver running on Windows Server 2019.

We have already added this cipher suite inside the Functions key in the registry under this address and restarted the machine, but without results.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

Is there a way to enable it or the compatibility with this cipher is no longer guaranteed? Thank you

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,905 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Michael Taylor 56,946 Reputation points
    2024-01-18T15:38:40.5266667+00:00

    To enable ciphers properly you should be using the IISCrypto tool. Modifying the registry directly is not recommended and may not work as you expect. More importantly, if the OS doesn't support it then it won't show up anymore.

    After making the change and rebooting the cipher is enabled. However when security negotiation occurs then the client and server share the supported ciphers and agree on the "most secure" one to use. Hence testing this directly isn't easy. There are online services that can tell you what ciphers are supported if you really want to test this but IISCrypto shows you that same information.

    1 person found this answer helpful.

  2. Daisy Zhou 29,376 Reputation points Microsoft Vendor
    2024-01-22T02:18:12.36+00:00

    Hello Marco, Thank you for posting in Q&A forum. Did you only add the cipher suite on the server or did you add it on both the server and one old client machine you mentioned. You can try adding a cipher suite to an old client as a test, and then test whether the suite is successfully applied according to your method. And how did you make the judgment by saying "but without results.". Attached is an article about compatibility information between WIndows server/client versions and cipher suites. And I found in the article that the cipher suite application has priority. If the above operations are not successful, you can also try setting the priority of the suite. Open the "Run" window, enter gpedit.msc, and open the "Local Group Policy Editor". Navigation to "Computer Configuration" ->"Management Templates" ->"Network" ->"SSL Configuration Settings". Find and double-click "SSL Cipher Suite Order" in the right pane and make TLS_RSA_WITH_3DES_EDE_CBC_SHA in the first. This is an article about cipher suites and service versions: https://learn.microsoft.com/zh-cn/windows/win32/secauthn/schannel-cipher-suites-in-windows-vista If none of the above methods work, please check if the old client machine supports such cipher suite. I hope the information above is helpful. If you have any questions or concerns, please feel free to let us know. Best Regards, Daisy Zhou

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.