ECDHE_ECDSA cipher suites with GCM enabled but not proposed externally

Sylvain Crouet 96 Reputation points


I have a fully patched Windows 2012 R2 server with IIS 8.5 as reverse-proxy.
I enabled several ECDHE_ECDSA cipher suites with GCM:

But the Qualys SSL Server test sees only one:

Can someone help me find a solution to have all enabled ECDHE_ECDSA cipher suites with GCM appear?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,579 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sylvain Crouet 96 Reputation points


    Thanks to Azure support, I discovered that it's related to the ECC key length. For example, with a 256-bits key, only cipher suites ending with P256 can be used. Thus, to use AES_256_GCM suites, I need a 384- or 521-bits key.

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Karlie Weng 16,091 Reputation points Microsoft Vendor

    Hello @Sylvain Crouet

    Currently in Microsoft Q&A we support:

    Please post your issue in StackOverflow. Users there are more familiar with this issue and are better at solving it.

    Stack Overflow is an open community for anyone that codes. We help you get answers to your toughest coding questions, share knowledge with your coworkers in private, and find your next dream job.

    Best Regards


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Sylvain Crouet 96 Reputation points
    0 comments No comments

  3. Sylvain Crouet 96 Reputation points

    Well, StackOverflow doesn't accept my question because it's about "networking-related infrastructure administration". And it is, indeed.
    Would it be possible to move my question to the correct topic? Maybe the windows-server-infrastructure?

  4. Sylvain Crouet 96 Reputation points


    My question is not about a connection from the Windows server like RustyShort-9392, but to it. Thus, maybe we can change the tag for "windows-server-2012".

    0 comments No comments