ECDHE_ECDSA cipher suites with GCM enabled but not proposed externally

Sylvain Crouet 96 Reputation points
2021-03-18T16:51:05.113+00:00

Hello,

I have a fully patched Windows 2012 R2 server with IIS 8.5 as reverse-proxy.
I enabled several ECDHE_ECDSA cipher suites with GCM:
79277-2021-03-18-17h45-57.png

But the Qualys SSL Server test sees only one:
79297-2021-03-18-17h48-00.png

Can someone help me find a solution to have all enabled ECDHE_ECDSA cipher suites with GCM appear?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,579 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sylvain Crouet 96 Reputation points
    2021-04-08T06:33:29.267+00:00

    Hi,

    Thanks to Azure support, I discovered that it's related to the ECC key length. For example, with a 256-bits key, only cipher suites ending with P256 can be used. Thus, to use AES_256_GCM suites, I need a 384- or 521-bits key.

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Karlie Weng 16,091 Reputation points Microsoft Vendor
    2021-03-19T07:29:36.837+00:00

    Hello @Sylvain Crouet

    Currently in Microsoft Q&A we support: https://learn.microsoft.com/en-us/answers/products/

    Please post your issue in StackOverflow. Users there are more familiar with this issue and are better at solving it.

    Stack Overflow is an open community for anyone that codes. We help you get answers to your toughest coding questions, share knowledge with your coworkers in private, and find your next dream job.

    Best Regards
    Karlie

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Sylvain Crouet 96 Reputation points
    2021-03-19T08:58:15.947+00:00
    0 comments No comments

  3. Sylvain Crouet 96 Reputation points
    2021-03-22T15:25:21.303+00:00

    Well, StackOverflow doesn't accept my question because it's about "networking-related infrastructure administration". And it is, indeed.
    Would it be possible to move my question to the correct topic? Maybe the windows-server-infrastructure?


  4. Sylvain Crouet 96 Reputation points
    2021-04-02T05:39:40.497+00:00

    Hi,

    My question is not about a connection from the Windows server like RustyShort-9392, but to it. Thus, maybe we can change the tag for "windows-server-2012".

    0 comments No comments