IIS 7 and Above
Acceptable Cipher Suites for Chrome
Last post Sep 13, 2017 07:15 AM by Yuk Ding
Sep 12, 2017 05:53 PM|jschweg|LINK
I'm in the process of redoing the SSL/Security on some of my IIS web servers and had a question about Chrome. My website is currently getting a score of A from Qualy's, however Google Chrome specifically gives me this:
An example website that Google is happy with is this:
From what I understand, Google will always give you an obsolete cipher if you aren't using the most modern cryptography possible. Specifically, I don't think they like any of the CBC ciphers and they want you to be on the GCM Ciphers. At least
with Server 2012, the only GCM ciphers that I have are these:
Now I know that I can't use the top group without an ECC/EV Certificate, but it won't negotiate at the bottom ones either even if I put them at the top of the Cipher list.
I guess the short version of my question is basically is possible to make Google happy without an EV/ECC SSL Certificate?
Sep 12, 2017 06:55 PM|Rovastar|LINK
In answer to your question, last I checked No you cannot make Google happy (at least not at the same time as keeping SSLTEst happy) for Windows 2012.
I believe 2016 has a few more that are compatible with Chrome but not looked for a while.
Sep 12, 2017 07:07 PM|jschweg|LINK
Thanks, this is the conclusion that I was coming to, but I wanted to be sure. I guess I'll just upgrade to EV certificates as the current ones expire. Thanks for the confirmation
Sep 13, 2017 07:15 AM|Yuk Ding|LINK
Have you tried the ssl cipher suit order in gpeditor->computer configuration->administrative template->network->SSL configuration setting->SSL cipher suite order?
In addition, maybe IIS crypto could help you fix this issue: