Cipher suites

Question

Hi,

Here is a list of cipher suites, i have enabled.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

The above list works with WIndows 10, Server 2016, server 2019, but not server 2012r2 when fetching windows updates. Wireshark on 2012 shows unknown certificate.
If i add cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 then Windows updates on 2012r2 works, but stops working on other OS - again with error unknown certificate.

So i have made a GPO where i assign different cipher suites based on the target OS which solves the issue.

Can anybody explain to me why cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 has this impact?

Regards
Robert

Answer 1

Hi there,

I suppose you must reorder the cipher suites from weakest to the strongest in the order and that might also be a impact for these TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 having the impact.

A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. The larger the key size the stronger the cipher. Weak ciphers are generally known as encryption/ decryption algorithms that use key sizes that are less than 128 bits

---

--If the reply is helpful, please Upvote and Accept it as an answer--