ECDHE_ECDSA cipher suites with GCM enabled but not proposed externally

Question

Hello,

I have a fully patched Windows 2012 R2 server with IIS 8.5 as reverse-proxy.
I enabled several ECDHE_ECDSA cipher suites with GCM:

But the Qualys SSL Server test sees only one:

Can someone help me find a solution to have all enabled ECDHE_ECDSA cipher suites with GCM appear?

Answer 1

Hi,

Thanks to Azure support, I discovered that it's related to the ECC key length. For example, with a 256-bits key, only cipher suites ending with P256 can be used. Thus, to use AES_256_GCM suites, I need a 384- or 521-bits key.

Answer 2

Hello @Sylvain Crouet

Currently in Microsoft Q&A we support: https://learn.microsoft.com/en-us/answers/products/

Please post your issue in StackOverflow. Users there are more familiar with this issue and are better at solving it.

Stack Overflow is an open community for anyone that codes. We help you get answers to your toughest coding questions, share knowledge with your coworkers in private, and find your next dream job.

Best Regards
Karlie

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

OK. Thank you. I've posted in StackOverflow: https://stackoverflow.com/questions/66705157/ecdhe-ecdsa-cipher-suites-with-gcm-enabled-but-not-proposed-externally

Answer 4

Well, StackOverflow doesn't accept my question because it's about "networking-related infrastructure administration". And it is, indeed.
Would it be possible to move my question to the correct topic? Maybe the windows-server-infrastructure?

Answer 5

Hi,

My question is not about a connection from the Windows server like RustyShort-9392, but to it. Thus, maybe we can change the tag for "windows-server-2012".