gpedit.msc and SSL cipher suites


  • KB3161639 introduces two new ciphers TLS_DHE_RSA_WITH_AES_128_CBC_SHA, and TLS_DHE_RSA_WITH_AES_256_CBC_SHA.

    Because of a bug in MS SQL JDBC driver 4.0 which will never be fixed I have to remove these ciphers from the SSL Cipher Suite Order.

    As noted in the instructions the Cipher suite order is restricted to 1023 chars because of a limit in gpedit.msc

    Also mentioned in the KB is that using gpedit.msc is the supported way to modify this setting.

    The problem is that the default list even with the two offending ciphers removed is hundreds of characters longer than what gpedit.msc allows.

    That means I have to remove an additional 11 ciphers to make the list fit. I don't really have an objective way to cull those additional ciphers.

    The servers are not internet exposed if that helps.

    The other alternative is to edit the registry, which is apparently not supported, and additionally means that if the default cipher order is updated those changes will be lost.

    I have to give advice to multiple customers to resolve this problem on both 2008 and 2012 servers.

    I am looking for some guidance from Microsoft seeing as how the KB seems to have deliberately glossed over the gpedit.msc limitation.

    Thursday, December 15, 2016 7:02 AM

All replies