Disable Cipher Suite in Server 2022 but still active

Question

Hi,

I've created a new VM in Azure of type "Windows Server 2022 Datacenter Azure Edition" - Core - and disabled weak cipher suites using PowerShells Disable-TlsCipherSuite.
The VM is behind an azure LoadBalancer.

Afterwards I checked with ssllabs.com. But it showed me, that there are still some weak cipher suites active.

So I went ahead and tried to explicitly disable the two weak cipher suites again using Disable-TlsCipherSuite.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

But PowerShell showed me, that these are already disabled.
When doing this in Server 2019 we had no problems at all. What am I missing here?

Any help appreciated.

Answer 1

TLS cmdlets (e.g., Disable-TlsCipherSuite) use Crypto Config APIs to modify the local cipher suite configuration.

Group Policy (GP) settings are enterprise-level configuration (usually set by the enterprise admin) and therefore override any local cipher suite configuration.

Most likely, what you are seeing is GP overriding local configuration. To confirm, please check whether the following reg value exists (and whether it includes the ciphers you've disabled locally (using TLS cmdlets):

HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\Functions

Answer 2

I'm seeing the same issue here. Disable-TlsCipherSuite doesn't seem to work on Windows Server 2022.

On Windows 2019:

1. Get-TlsCipherSuite | Format-Table Name
   1. I see a list of Ciphers that are active on the system
2. Disable-TlsCipherSuite -Name [name of Cipher]
   1. Command comes back with no output
3. Get-TlsCipherSuite | Format-Table Name
   1. Returns the original list minus the cipher I just disabled

On Windows 2022:

1. Get-TlsCipherSuite | Format-Table Name
   1. I see a list of Ciphers that are active on the system
2. Disable-TlsCipherSuite -Name [name of Cipher]
   1. Command comes back with no output
   2. Get-TlsCipherSuite | Format-Table Name
   3. Returns the original list
   If I run Disable-TlsCipherSuite -Name [name of Cipher] a second time, I get errors:

   PS> disable-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
   disable-TlsCipherSuite : Exception from HRESULT: 0xD0000225
   At line:1 char:1
   + disable-TlsCipherSuite -Name TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       + CategoryInfo          : NotSpecified: (:) [Disable-TlsCipherSuite], COMException
       + FullyQualifiedErrorId : Exception from HRESULT: 0xD0000225,Microsoft.WindowsAuthenticationProtocols.Commands.Rem
      oveTlsCipherSuiteCommand

Answer 3

Hello SebastianMann,

The fact that they are disabled doesn't mean that the suites will be deleted from the system. They will not be user/accepted, but they remain in the system.

---

--If the reply is helpful, please Upvote and Accept as answer--

Answer 4

Hi,

two things:

1. have you rebooted the server after the changes?
2. are you sure TLS is terminated on the server and not on the load balancer?

Answer 5

Hi @Sebastian Mann , I'm facing the same problem. Were you able to resolve this issue?