Cipher suites

Robert Vilhelmsen 1 Reputation point
2021-11-23T06:38:02.62+00:00

Hi,

Here is a list of cipher suites, i have enabled.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

The above list works with WIndows 10, Server 2016, server 2019, but not server 2012r2 when fetching windows updates. Wireshark on 2012 shows unknown certificate.
If i add cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 then Windows updates on 2012r2 works, but stops working on other OS - again with error unknown certificate.

So i have made a GPO where i assign different cipher suites based on the target OS which solves the issue.

Can anybody explain to me why cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 has this impact?

Regards
Robert

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,436 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,516 Reputation points
    2021-11-25T16:18:38.847+00:00

    Hi there,

    I suppose you must reorder the cipher suites from weakest to the strongest in the order and that might also be a impact for these TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 having the impact.

    A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. The larger the key size the stronger the cipher. Weak ciphers are generally known as encryption/ decryption algorithms that use key sizes that are less than 128 bits


    --If the reply is helpful, please Upvote and Accept it as an answer--