Could you please help to how to configure ecdhe-ecdsa cipher in Exchange server 2013

Omprakash Chouhan 0 Reputation points
2024-03-10T16:20:20.2033333+00:00

We are trying to configure ecdhe-ecdsa cipher in Exchange server 2013 , it seems after enabling the ciphers in 2013 exchange server , we are not able to see the configured cipher details in nmap command . its only showing the default ciphers configure in the server .

Could you please help to the steps to configure it properly in exchange server 2013 so that it can communicate through this cipher and able to see in nmap command.

Below is the details of default ciphers which is showing in nmap command:-

[testuser@vm19centos0054 csa]$ nmap --script ssl-enum-ciphers -p 443 10.10.2.24

Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-10 09:00 PDT

Nmap scan report for 10.10.2.24

Host is up (0.00054s latency).

PORT STATE SERVICE

443/tcp open https

| ssl-enum-ciphers:

| TLSv1.0:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

| compressors:

| NULL

| cipher preference: server

| warnings:

| Weak certificate signature: SHA1

| TLSv1.1:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

| compressors:

| NULL

| cipher preference: server

| warnings:

| Weak certificate signature: SHA1

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A

| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A

| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A

| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A

| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A

| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

| compressors:

| NULL

| cipher preference: server

| warnings:

| Weak certificate signature: SHA1

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds

Exchange | Exchange Server | Other
Windows for business | Windows Server | User experience | Other
{count} votes

1 answer

Sort by: Most helpful
  1. Yuki Sun-MSFT 41,376 Reputation points Moderator
    2024-03-11T02:29:12.9566667+00:00

    Hi @Omprakash Chouhan

    Supposing you are running Windows Server 2012 and Windows Server 2012 R2, you can run the following commands from an elevated PowerShell window to configure the recommended cipher suites:

    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" -Name "Functions" -PropertyType MultiString -Value "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" -Force
    
    

    Reference: Exchange Server TLS configuration best practices.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.