2012r2 windows update tls cipher support

Question

Hi,

After applying a new GPO disable older tls ciphers, all my 2012r2 servers fails to download windows updates with error 0x80072efe.

My gpo settings is:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

SSL 2 and 3 is disabled.
TLS 1.0, 1.1 and 1.2 is enabled.
DES 56/56, RC2 40/128, RC2 40/128, RC2 56/128, RC2 128/128, RC4 40/128, RC4 64/128, RC4 128/128 = disabled
Triple DES 168, AES 128/128, AES 256/256, MD5, SHA256, SHA384, SHA512, Diffie-Hellman, PKCS, ECDH = enabled

A wireshark do not shows why the remote server denieds the traffic other than it sends a RST, ACK after the client has send it´s Tls v. 1.2 Hello message.
If i install Microsoft Edge (instead of iexplore) the tls communication gets a bit further, but still fails with reply RST from server with ip 52.152.110.14 every time. (only this server).

Any clue why/what causing this? What ciphers am i missing here?

Regards
Robert

Answer 1

And browsing to HTTPS://sls.update.microsoft.com/SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/6.3.9600.0/0?CH=526&L=en-US&P=&PT=0x7&WUA=7.9.9600.19915
gives me error NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED.

Answer 2

Found the problem.

The Windows update server supports the following ciphers:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128

I enabled TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 as this is supported on Windows 2012r2.

The newer ciphers was first added in windows 2016.

/Robert

Answer 3

Hi there,

Different Windows versions support different TLS cipher suites and priority order. You can get them form here https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

The GPO might have stopped the update service on your 2012r2 servers , try kick starting them .

1. Click Start and start typing on your keyboard for "services.msc"
2. In your search results "services.msc" should show up. Open it with a click.
3. A new windows will open containing all Windows services on your system.Search for "Windows Update"
4. Right-click the "Windows Update" and then click Start.

--------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer--