locked
Changing Key Encryption Method between Skype for Business Edge Servers RRS feed

  • Question

  • (This is in a lab environment)

    By default, SfB Edge Servers agree on the following cipher suite:

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

    I'm interested in using TLS_RSA_WITH_AES_128_CBC_SHA256 instead. 

    So far, by changing policies in gpedit.msc, Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order, I can get force the client to offer TLS_RSA_WITH_AES_128_CBC_SHA256 first in the list of offered ciphers.  A pcap confirms that it's the first cipher offered.  The server still selects TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as the cipher suite.

    I've also been able to disable the Extended Master Secret by making appropriate regedit changes on both the client and server.  Functionality is not affected.

    To force the server to use RSA as the key encryption method, referring to https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel.dll, I add the key PKCS to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms and set the Enabled DWORD value to 1. 

    This time, a pcap suggests that the server is still selecting TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.  Now, though, Presence and IM chats both fail when initiated from the client side.

    Is it possible to force TLS_RSA_WITH_AES_128_CBC_SHA256 for Edge to Edge SSL sessions?  What steps am I missing?


    • Edited by TheGlidd Monday, May 1, 2017 5:55 PM
    Monday, May 1, 2017 5:50 PM

All replies

  • Hi TheGlidd,

    Welcome to post in our forum.

    For your requirement, it’s not recommend that you change to TLS_RSA_WITH_AES_128_CBC_SHA256, we suggest you use TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, because if you change the encryption type, it will reduce the security, and may be bring some risk for network connection, so we suggest you use the default cipher suite.


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 2, 2017 7:39 AM
  • I agree, security would be degraded. 

    That said, is such a configuration possible?  Is there anything at the application layer that would prevent the use of RSA for key exchange? 

    Tuesday, May 2, 2017 1:07 PM
  • Hi TheGlidd,

    In the theory, it is possible to change to TLS_RSA_WITH_AES_128_CBC_SHA256

    The following blog is for your reference

    https://serverfault.com/questions/686170/windows-server-2008-r2-sha2-based-cipher-suites
    https://www.petri.com/cipher-best-practice-configure-iis-ssl-tls-protocol

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 10, 2017 6:12 AM