locked
Internet Explorer - FIPS Compliant Algorithms - Not resetting ciphers RRS feed

  • Question

  • I recently discovered that certain websites using HTTPS were not advertising FIPS compliant algorithms, and we were unable to connect to them because of this. In my environment we had the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" group policy enabled. Because we needed access to these sites, it was decided that this policy should be disabled. However, Internet Explorer did not revert to using all the available cipher suites. We still cannot connect to these sites. And when I capture the TLS "Client Hello" packet, IE is only advertising those cipher suites which meet the FIPS compliance standards. How can I get IE to reset back to using all cipher suites? I've double checked that the registry setting that corresponds to the GPO is correct (disabled). I've also tried uninstalling IE (removing the feature), and the reinstalling.
    Wednesday, October 30, 2013 10:13 PM

Answers

  • The problem was that website I was connecting to was only configured to accept RC4 ciphers, for example, TLS_RSA_WITH_RC4_128_SHA

    Internet Explorer was not advertising any RC4 ciphers, no matter how I configured it. I suspected that it had to do with the FIPS Compliant Algorithms group policy, but the policy was disabled. Microsoft's documentation states that the GPO controls the reg key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy]. This key was disabled, I had checked it multiple times. After exhausting all my options, I decided to just search the entire registry for "FIPS" and track down each reference. Low and behold, there was a value under the key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] called "fipsalgorithmpolicy", and it was set to 1. After setting it back to 0 an rebooting, IE started advertising the RC4 algorithm properly.


    • Marked as answer by Nick_D1 Thursday, October 31, 2013 9:01 PM
    • Edited by Nick_D1 Thursday, October 31, 2013 9:10 PM Corrected registry key path
    Thursday, October 31, 2013 9:01 PM