locked
Cipher Suite for Windows Server 2003 SP2 RRS feed

  • Question

  • Hi All,

     My application is using Windows Server2003 SP2 and we have enabled TLS1.0. Can I check how do I check the Cipher Suite that is enabled in the server ? I am not able to find the option "SSL Configuration Option" in the Group Policy Editor.

    Is the below the default list of ciphers for Server 2003?

    • TLS_RSA_WITH_RC4_128_MD5
    • TLS_RSA_WITH_RC4_128_SHA
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    • TLS_RSA_WITH_DES_CBC_SHA
    • TLS_DHE_DSS_WITH_DES_CBC_SHA
    • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    • TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
    • TLS_RSA_EXPORT_WITH_RC4_40_MD5
    • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    • TLS_RSA_WITH_NULL_MD5
    • TLS_RSA_WITH_NULL_SHA

    Question: How do I add in the following Cipher into the Microsoft Server ?

    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

    The Ciphers (RC4 128/128,RC 40/128, RC 56/128) are disabled and (AES 128/128, AES 256/256) are enabled in the server 's registry editor.

    Appreciate if anyone can help on this. Thank You.

    Regards,

    Ros

    Tuesday, August 16, 2016 5:51 AM

Answers

  • Hi PowerShell,

     Does it means that I am not able to add in the following cipher list into Microsoft Server 2003 manually?

    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

    Thanks.

    yes, you cannot add these ciphersuites. They are available starting with Windows Server 2008.

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Proposed as answer by Amy Wang_ Monday, August 22, 2016 12:38 PM
    • Marked as answer by Amy Wang_ Wednesday, September 7, 2016 10:39 AM
    Wednesday, August 17, 2016 8:30 AM

All replies

  • Hi All,

     Any idea?

    Wednesday, August 17, 2016 5:12 AM
  • Windows Server 2003 does not support AES.

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Proposed as answer by Amy Wang_ Monday, August 22, 2016 12:38 PM
    Wednesday, August 17, 2016 5:34 AM
  • Hi PowerShell,

     Does it means that I am not able to add in the following cipher list into Microsoft Server 2003 manually?

    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

    Thanks.

    Wednesday, August 17, 2016 6:08 AM
  • Hi PowerShell,

     Does it means that I am not able to add in the following cipher list into Microsoft Server 2003 manually?

    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

    Thanks.

    yes, you cannot add these ciphersuites. They are available starting with Windows Server 2008.

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    • Proposed as answer by Amy Wang_ Monday, August 22, 2016 12:38 PM
    • Marked as answer by Amy Wang_ Wednesday, September 7, 2016 10:39 AM
    Wednesday, August 17, 2016 8:30 AM
  • Hi,

    Is further assistance required at the moment?

    Best Regards,

    Amy


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 25, 2016 12:17 PM
  • Hi

    There is a patch for Windows Server 2003 to support AES cipher suites.

    See the links above:

    https://support.microsoft.com/en-us/help/3050509/improving-cipher-security-in-windows-server-2003-sp2

    https://support.microsoft.com/en-us/help/948963

    Regards,

    Hugo Silva

    Tuesday, February 13, 2018 12:00 PM