IIS 7 and Above
Configuration & Scripting
How to upgrade the cipher suite to a Windows Server 2012 R2 Standard
Last post Apr 26, 2019 09:32 PM by Akshay_M
Mar 03, 2019 11:37 AM|Maria Giovanna|LINK
installing the SSL certificates on my Windows Server 2012 R2 Standard with IIS 8.5 I found myself having the following message when I went to see the specifications of the certificate installed on the
browser: "The connection to www.xxxxx.it is encrypted via an encryption package obsolete".
The certificate vendor told me that the problem was not in the certificate but in the system ciphers.
I was then suggested by the TechNet forum to install the certificates I found on the page
(which are the same ones that Microsoft recommends). I did the update but I did not have any results. The site's rating on SSL Test was always and everywhere C and I always had the message that the certificate
At that point, based on the results of reting, I disabled the SSL 3 service and deleted some encryption packages marked as weak. And so at last the installed ciphers were:
A new test showed a global improvement in the situation, guaranteeing me a rank B with a significant increase in the level of the Protocol support. However, the Cipher streght still remains
critical, as the site gives me the following warning: "This server does not support Authenticated encryption (AEAD) cipher suites." Grade capped to B. " which makes me think that it is an inherent problem of Windows Server 2012 R2, also because the original
problem to date has not yet been solved, as the message on the use of obsolete cryptographic packages is still present.
Can you help me please?
Mar 03, 2019 04:14 PM|lextm|LINK
Mar 03, 2019 06:17 PM|Maria Giovanna|LINK
Thanks to Lextm of the answer but it does not help me much as my certificates are RapidSSL RSA Ca 2018 using AES_256_CBC, with HMAC-SHA1 for message authentication
and ECDHE_RSA as the main key exchange mechanism and the connection uses TLS 1.2.
Those ciphers were present in the original certificate that gave me a C rating.
Do you have any other suggestions?
Mar 03, 2019 08:40 PM|mbanavige|LINK
AEAD would need a GCM type cipher and the two GCM ciphers that you have:
are both ECDSA.
I think you need to include an RSA type cipher (not ECDSA) based on your cert provider
such as: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
This cipher list can be updated in the registry here:
Including RSA/GCM cipers on a server 2008 R2 box managed to get it an A rating so i think you should be able to obtain an A rating on server 2012 as well.
Mar 03, 2019 10:45 PM|lextm|LINK
my certificates are RapidSSL RSA Ca 2018 using AES_256_CBC, with HMAC-SHA1 for message authentication and ECDHE_RSA as the main key exchange mechanism and the connection uses TLS 1.2.
Please read that article carefully, as it says,
The following cipher suites supports AEAD encryption on Windows Server 2012 R2:
The first 3 ciphers listed above are ECDSA ciphers and need an ECDSA certificate with an ECC public key.
If you are using a RSA certificate, those ciphers are not used.
Your certificate unfortunately does not qualify. So before claiming "it does not help", make some efforts to fully understand what's being discussed here. (You seemed to have disabled the DHE ones.)
Mar 05, 2019 08:57 PM|Maria Giovanna|LINK
Hi lextm and mbanavige,
I have read, reread and reread your advice with great attention. I struggle a lot because I'm not a system engineer and my English is horrible, but since I'm facing this problem,
I have to study and ask for help.
I have applied your suggestions, made numerous attempts and the last cipher I installed on the server are the following, taken from the site of Microsoft, and deleted those considered
"weak" by Qualys SSL Labs:
The situation has not improved at all. Rest with the B rating but above all with the writing that says the connection is encrypted with an obsolete cryptographic package. Among
other things, the strange thing that I forgot to mention is that the word I see only on the browsers of Android devices.
My certificate says: "The connection was encrypted using AES_256_CBC, with HMAC-SHA1 for message authentication and ECDHE_RSA as the main key exchange mechanism"
I have no idea what else it can do.
I have to change certificate and look for one with ECDSA signature and not RSA (hoping it does not cost too much as mine are only reference sites and I do not ask any information
Thanks for any other advice you want to give me.
Mar 06, 2019 07:23 AM|Maria Giovanna|LINK
I was also disheartened by what is written in this forum https://forums.iis.net/t/1226511.aspx.
Apr 26, 2019 09:32 PM|Akshay_M|LINK
You can use IIS Crypto to set the required SSL/TLS cipher suites offered by IIS. This has built in Best Practices, PCI 3.2, Strict and FIPS 140-2 templates.
IIS Crypto (E.g. Nartac Software) - IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016 and 2019. It also lets you reorder SSL/TLS
cipher suites offered by IIS, change advanced settings, implement Best Practices with a single click, create custom templates and test your website.
System Admin -