locked
Ciphers varies with SSL Certificate RRS feed

  • Question

  • Hi Friends

    I am facing a strange issue at my end where, cipher suite in SSL handshake varies with two certificates even though issued against the same certificate template. My question is can a SSL "certificate" control the cipher suites within a SSL session. My understanding is SSL server / client determine what cipher to be used in a SSL session based on what is available on either ends. I am happy to be corrected. Thanks in advance.

    Details:

    Certificate A:

    • CSR is generated from a certificate management server (using OpenSSL), with standard extensions.
    • Certificate is generated against template A. PFX imported into target IIS Web Server
    • SSL Checker tool reports Cipher Suite Supported - TLS v1.0

    Certificate B

    • CSR is generated on the target IIS Web Server. The request has additional SMIME Capabilities extension.
    • Certificate is generated against template A. The certificate also have additional SMIME Capabilities extension. not sure if this extension drives the cipher suite selection.
    • SSL Checker tool reports Cipher Suite Supported in SSL handshake - SSL v1.0, SSL v2.0, SSL v3.0 and TLS v1.0
    Tuesday, December 22, 2015 5:13 AM

Answers

  • Hi,

    >>My question is can a SSL "certificate" control the cipher suites within a SSL session. 

    In brief, yes.

    When we generate a CSR, a key pair will be generated. The type of the key pair will influence the using of the cipher suites.

    Here is a detailed explaination in the following thread:

    http://security.stackexchange.com/questions/90422/ssl-certificates-and-cipher-suites-correspondence

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Steven_Lee0510 Thursday, January 7, 2016 12:12 PM
    • Marked as answer by Steven_Lee0510 Thursday, January 7, 2016 10:49 PM
    Wednesday, December 23, 2015 2:41 AM