Add Chiper Suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for Window 2012 R12

Question

Hi, this is a mirror question of https://learn.microsoft.com/answers/questions/198725/add-chiper-suite-tls-ecdhe-rsa-with-aes-128-gcm-sh.html

In that question, @Dave Patrick 's answer gives a solution to fix the issue, but he does not answer how to set chiper suite through command line or programic way.

Answer 1

Hello,

Thank you so much for posting here.

To add cipher suites, either deploy a group policy or use the TLS cmdlets:

To use group policy, configure SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all cipher suites you want enabled.

To use PowerShell, see TLS cmdlets.

Reference:
TLS Cipher Suites in Windows 10 v1507
https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10--version-1507

Manage Transport Layer Security (TLS)
https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls

Enable-TlsCipherSuite
https://learn.microsoft.com/en-us/powershell/module/tls/enable-tlsciphersuite?view=win10-ps

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hello,

Thank you so much for your kindly reply.

Windows 8.1 and Windows Server 2012 R2 are updated by Windows Update by the update 2919355 applied which adds the new cipher suites and changes the priority order.

Reference:

https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1

https://support.microsoft.com/en-us/help/2929781/update-adds-new-tls-cipher-suites-and-changes-cipher-suite-priorities

Firstly we could check whether we have installed this update. Then as you mentioned, it seems that Enable-TlsCipherSuite powershell command could not be used. According to my further research, it seems that we could only configure the group policy.

https://support.microsoft.com/en-us/help/3161639

Besides, Window server 2012 R2 does not support this chiper suite. Since it is not supported, we have doubt that whether it could be added. I have done some research, but failed to get confirmation whether the non-supported Chiper Suite could be added.

Thank you so much for your understanding and support.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

@Hannah Xiong It supports, i have tested it on window server 2012 R2, at least for our ENV. i am not sure which chiper suite is used finally, but after install the window update you metioned, and set chiper suite, everything works.

And what i need is a programic way to set the chiper suite, because i need to integration it into our installtion scripts.

Answer 4

Hello,

Thank you so much for your kindly reply.

We could check whether it helps.
https://learn.microsoft.com/en-us/windows/win32/secauthn/prioritizing-schannel-cipher-suites

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.