locked
TLS_RSA_WITH_NULL_MD5 cipher support in Windows 2012 R2 RRS feed

  • Question

  • We need to support the Cipher TLS_RSA_WITH_NULL_MD5 on 2012 R2. This is to allow some legacy 2003 servers on TLS 1.0 to connect to SQL 2012 on port 1433 using this cipher.

    I have attempted to specify this Cipher in the registry , at the location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\0010002 , in the registry key "functions". Numerous ciphers are already specified. I then restarted the server.

    So far, testing using a cipher scanner(nmap), does not show the cipher as being enabled. Has this cipher been patched out of 2012 R2?


    Tuesday, July 2, 2019 8:37 AM

Answers

  • Hello,

    The TLS_RSA_WITH_NULL_MD5 is supported by Windows Server 2012 R2, but is not enabled by default.

    To add cipher suites, use the group policy setting SSL Cipher Suite Order under:
    Computer Configuration > Administrative Templates > Network > SSL Configuration Settings

    Then configure a priority list for all cipher suites you want enabled.

    More information over here:
    TLS Cipher Suites in Windows 8.1

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, July 2, 2019 8:46 AM

All replies

  • Hello,

    The TLS_RSA_WITH_NULL_MD5 is supported by Windows Server 2012 R2, but is not enabled by default.

    To add cipher suites, use the group policy setting SSL Cipher Suite Order under:
    Computer Configuration > Administrative Templates > Network > SSL Configuration Settings

    Then configure a priority list for all cipher suites you want enabled.

    More information over here:
    TLS Cipher Suites in Windows 8.1

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, July 2, 2019 8:46 AM
  • using group policy presented us with a problem, there is only support for a limited number of 1023 characters, which would have resulted in having to remove some ciphers. With further research, and using a third party tool called IIS Crypto 3.0, I was able to determine that the registry key that needs to be modified is actually HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 .

    The key i mentioned in  my first post did not have any impact. It is likely using group policy would also modify the key above.

    Although IIS Crypto 3.0  suggests that TLS_RSA_WITH_NULL_MD5 is enabled, the windows 2003 clients are still unable to connect, with event ID 36874 errors in the server logs " An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."


    Wednesday, July 3, 2019 9:44 AM
  • Indeed the IIS Crypto is a good tool to check which cihpers are in use.

    As for your issue, it might be better to start a new thread describing your exact issue and what you want to achieve, this way we don't mix multiple things in one single thread.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, July 3, 2019 9:52 AM