Configuring Secure Ciphers Suites and TLS
Hey everyone, today we're back on cipher suites. If you want a refresher of TLS and secure cipher suites overall, check out my previous post.
There are many instances in which you'll need to edit cipher suites on a system -- compliance efforts, CIS benchmarks, or simply ensuring your system doesn't use insecure suites. There are a few ways to go about this and I'll detail two of them now: IIS Crypto and the Windows registry.
- One key under Protocols reflecting the name of the protocol (e.g. TLS 1.2)
- Two keys under that key -- Client and Server
- Two REG_DWORD values -- Enabled and DisabledByDefault
- Set the Enabled value to 1 (binary) and the DisabledByDefault value to 0 (binary)
- This enables TLS 1.2 as a client protocol and it will be enabled by default.
- Swap these values if you want to disable the protocol.
Cipher Suite Order
- The order matters. First in the list will be tried first and so on. You may list 20 here but some applications may stop looking after 10. Prioritize appropriately.
- The cipher suites are comma separated values.
- Do not include any spaces.
- The cipher suite(s) you want to use are named correctly. This can vary depending on your Windows OS (mostly around Elliptical Curve cipher suites as Windows 10/2016 no longer requires _P256, etc., designations on EC suites while 2012R2 and before does).
|Credit: Microsoft |
- Some applications will completely ignore your cipher suite preferences. For example, Google Chrome comes with its own set of cipher suites it will attempt to use when connecting with the world.
- If you run into trouble remember Wireshark can tell you exactly what is being proposed as acceptable cipher suites on both the client and server sides.
- Other parameters than those covered here can cause problems in connections -- for example, KeyExchangeAlgorithms.
- Linux/UNIX systems also need to be hardened to use TLS 1.2 with secure cipher suites. That's a post for a different day, but in case that's what you came here looking for here's a couple links to get you started: