How to upgrade the cipher suite to a Windows Server 2012 R2 StandardRSS

6 replies

Last post Mar 06, 2019 07:23 AM by Maria Giovanna

  • How to upgrade the cipher suite to a Windows Server 2012 R2 Standard

    Mar 03, 2019 11:37 AM|Maria Giovanna|LINK

    Hello,

    installing the SSL certificates on my Windows Server 2012 R2 Standard with IIS 8.5 I found myself having the following message when I went to see the specifications of the certificate installed on the browser: "The connection to www.xxxxx.it is encrypted via an encryption package obsolete".

    The certificate vendor told me that the problem was not in the certificate but in the system ciphers.

    I was then suggested by the TechNet forum to install the certificates I found on the page

    https://support.hostway.com/hc/en-us/articles/360000024630-Managing-Windows-Server-Cipher-Suites-

    (which are the same ones that Microsoft recommends). I did the update but I did not have any results. The site's rating on SSL Test was always and everywhere C and I always had the message that the certificate was obsolete.

    At that point, based on the results of reting, I disabled the SSL 3 service and deleted some encryption packages marked as weak. And so at last the installed ciphers were:

     

    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,

    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,

    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,

    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,

    SSL_CK_DES_192_EDE3_CBC_WITH_MD5

     

    A new test showed a global improvement in the situation, guaranteeing me a rank B with a significant increase in the level of the Protocol support. However, the Cipher streght still remains critical, as the site gives me the following warning: "This server does not support Authenticated encryption (AEAD) cipher suites." Grade capped to B. " which makes me think that it is an inherent problem of Windows Server 2012 R2, also because the original problem to date has not yet been solved, as the message on the use of obsolete cryptographic packages is still present.

    Can you help me please?

    Thank you

  • Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: How to upgrade the cipher suite to a Windows Server 2012 R2 Standard

    Mar 03, 2019 06:17 PM|Maria Giovanna|LINK

    Thanks to Lextm of the answer but it does not help me much as my certificates are RapidSSL RSA Ca 2018 using AES_256_CBC, with HMAC-SHA1 for message authentication and ECDHE_RSA as the main key exchange mechanism and the connection uses TLS 1.2.
    Those ciphers were present in the original certificate that gave me a C rating.
    Do you have any other suggestions?

  • Re: How to upgrade the cipher suite to a Windows Server 2012 R2 Standard

    Mar 03, 2019 08:40 PM|mbanavige|LINK

    AEAD would need a GCM type cipher and the two GCM ciphers that you have:

        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,

    are both ECDSA.

    I think you need to include an RSA type cipher (not ECDSA) based on your cert provider

    such as: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    This cipher list can be updated in the registry here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

    Including RSA/GCM cipers on a server 2008 R2 box managed to get it an A rating so i think you should be able to obtain an A rating on server 2012 as well.

    Mike Banavige
  • Re: How to upgrade the cipher suite to a Windows Server 2012 R2 Standard

    Mar 03, 2019 10:45 PM|lextm|LINK

    Maria Giovanna

    my certificates are RapidSSL RSA Ca 2018 using AES_256_CBC, with HMAC-SHA1 for message authentication and ECDHE_RSA as the main key exchange mechanism and the connection uses TLS 1.2.

    Please read that article carefully, as it says,

    Ciphers available on Windows Server 2012 R2

    https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-8-1 Jump

     

    The following cipher suites supports AEAD encryption on Windows Server 2012 R2:

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 

    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

     

    The first 3 ciphers listed above are ECDSA ciphers and need an ECDSA certificate with an ECC public key. If you are using a RSA certificate, those ciphers are not used.

     

    Your certificate unfortunately does not qualify. So before claiming "it does not help", make some efforts to fully understand what's being discussed here. (You seemed to have disabled the DHE ones.)

    Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: How to upgrade the cipher suite to a Windows Server 2012 R2 Standard

    Mar 05, 2019 08:57 PM|Maria Giovanna|LINK

    Hi lextm and mbanavige,

    I have read, reread and reread your advice with great attention. I struggle a lot because I'm not a system engineer and my English is horrible, but since I'm facing this problem, I have to study and ask for help.

    I have applied your suggestions, made numerous attempts and the last cipher I installed on the server are the following, taken from the site of Microsoft, and deleted those considered "weak" by Qualys SSL Labs:

     

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,

    LS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,

    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,

    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

    The situation has not improved at all. Rest with the B rating but above all with the writing that says the connection is encrypted with an obsolete cryptographic package. Among other things, the strange thing that I forgot to mention is that the word I see only on the browsers of Android devices.

    My certificate says: "The connection was encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and ECDHE_RSA as the main key exchange mechanism"

    I have no idea what else it can do.

    I have to change certificate and look for one with ECDSA signature and not RSA (hoping it does not cost too much as mine are only reference sites and I do not ask any information to users)?

    Thanks for any other advice you want to give me.

     

  • Re: How to upgrade the cipher suite to a Windows Server 2012 R2 Standard

    Mar 06, 2019 07:23 AM|Maria Giovanna|LINK

    I was also disheartened by what is written in this forum https://forums.iis.net/t/1226511.aspx.
    It's true?