This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 27%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Hi, I want to mitigate or remove the ciphers from more than 20 machines to mitigate this vulnerability. Is it possible to achieve this using any .reg scripts? If so, could you please provide me with the necessary script? This will help us address the vulnerability promptly. Additionally, could you confirm that this mitigation or ciphers removal won't impact any other services on our Windows endpoints? Q: How to fix Birthday attacks against TLS ciphers with 64bit (Sweet32) -CVE-2016-2183?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @Sujith R •
You can user registry key to remove certain specific ciphers a reboot of the machine is required:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
Please don't forget to accept helpful answer
Hi Thameur-BOURBITA, Thanks for your support. Do I need to remove that all ciphers? And Is this possible to complete this action via any scripts? let us know please.
@Sujith R No , you should remove only the vulnerable cipher. Yes it's possible to use a script or a Group Policy Preference to update a registry key.
Please don't forget to accept helpful answer
Hi Thameur-BOURBITA, How can I identified the vulnerable ciphers? Can you help me with this? If you have any scripts for this, kindly share it to me. I have a script for this, Can you check this? Is this fine or not?
# Define the list of cipher suites to be disabled for Sweet32 mitigation
$Sweet32CipherSuites = @(
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA"
)
# Loop through each Sweet32 vulnerable cipher suite and disable it
foreach ($CipherSuite in $Sweet32CipherSuites) {
$CipherSuiteInfo = Get-TlsCipherSuite -Name $CipherSuite -ErrorAction SilentlyContinue
if ($CipherSuiteInfo) {
Disable-TlsCipherSuite -Name $CipherSuiteInfo.Name
Write-Host "Disabled Sweet32 vulnerable cipher suite: $($CipherSuiteInfo.Name)"
} else {
Write-Host "Cipher suite not found: $CipherSuite"
}
}
Write-Host "Sweet32 mitigation complete."
Before disable a weak cipher you should check if your application will be impected or not. You can use thord party tools to identify weak cipher this a example: https://www.ssllabs.com/ssltest/analyze.html Regarding Powershell script ,I suggest you to open new thread and tag it in Powershell forum to get more help from Powershell expert.