locked
Enable Specific TLS 1.2 Cipher Suite Support in Windows Server 2012 R2 RRS feed

  • Question

  • I am running Windows Server 2012 R2 as an AD Domain Controller, and have a functioning MS PKI.  I am having trouble getting various LDAP clients to connect using LDAP over SSL (LDAPS) on port 636.  I would like to see if anyone can suggest how to enable Windows to use specific TLS 1.2 ciphers that are supported by my clients.

    The SChannel service is tearing down the TCP connection and offering the following description in the event logs.

    Log Name:      System
    Source:        Schannel
    Date:          7/28/2015 12:28:04 PM
    Description:  An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

    Log Name:      System
    Source:        Schannel
    Date:          7/28/2015 12:28:04 PM
    Description:  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

    So far, I have tested two clients, LDAPAdmin 1.6 and a Cisco ASA using LDAPS for AAA.  Packet captures of both exchanges show the list of ciphers offered by the clients, but I'm not sure of any of these are actually enabled by default.  Seems strange that they wouldn't be.

    LDAPAdmin 1.6 Cipher List from PCAP:

    Secure Sockets Layer
        SSL Record Layer: Handshake Protocol: Client Hello
            Content Type: Handshake (22)
            Version: TLS 1.2 (0x0303)

    Cipher Suites (26 suites)
                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
                    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
                    Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                    Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                    Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

    Elliptic curves (2 curves)
                        Elliptic curve: secp256r1 (0x0017)
                        Elliptic curve: secp384r1 (0x0018)

    Signature Hash Algorithms (9 algorithms)
                        Signature Hash Algorithm: 0x0401
                            Signature Hash Algorithm Hash: SHA256 (4)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0501
                            Signature Hash Algorithm Hash: SHA384 (5)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0601
                            Signature Hash Algorithm Hash: SHA512 (6)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0201
                            Signature Hash Algorithm Hash: SHA1 (2)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0403
                            Signature Hash Algorithm Hash: SHA256 (4)
                            Signature Hash Algorithm Signature: ECDSA (3)
                        Signature Hash Algorithm: 0x0503
                            Signature Hash Algorithm Hash: SHA384 (5)
                            Signature Hash Algorithm Signature: ECDSA (3)
                        Signature Hash Algorithm: 0x0603
                            Signature Hash Algorithm Hash: SHA512 (6)
                            Signature Hash Algorithm Signature: ECDSA (3)
                        Signature Hash Algorithm: 0x0203
                            Signature Hash Algorithm Hash: SHA1 (2)
                            Signature Hash Algorithm Signature: ECDSA (3)
                        Signature Hash Algorithm: 0x0202
                            Signature Hash Algorithm Hash: SHA1 (2)
                            Signature Hash Algorithm Signature: DSA (2)

    Cisco ASA Cipher List from PCAP:

    Cipher Suites (25 suites)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                    Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                    Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                    Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                    Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                    Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002)
                    Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

    Elliptic curves (4 curves)
                        Elliptic curve: secp521r1 (0x0019)
                        Elliptic curve: secp384r1 (0x0018)
                        Elliptic curve: secp256r1 (0x0017)
                        Elliptic curve: secp192r1 (0x0013)

    Signature Hash Algorithms (13 algorithms)

                        Signature Hash Algorithm: 0x0000
                            Signature Hash Algorithm Hash: None (0)
                            Signature Hash Algorithm Signature: Anonymous (0)
                        Signature Hash Algorithm: 0x0401
                            Signature Hash Algorithm Hash: SHA256 (4)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0501
                            Signature Hash Algorithm Hash: SHA384 (5)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0601
                            Signature Hash Algorithm Hash: SHA512 (6)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0301
                            Signature Hash Algorithm Hash: SHA224 (3)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0201
                            Signature Hash Algorithm Hash: SHA1 (2)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0101
                            Signature Hash Algorithm Hash: MD5 (1)
                            Signature Hash Algorithm Signature: RSA (1)
                        Signature Hash Algorithm: 0x0202
                            Signature Hash Algorithm Hash: SHA1 (2)
                            Signature Hash Algorithm Signature: DSA (2)
                        Signature Hash Algorithm: 0x0403
                            Signature Hash Algorithm Hash: SHA256 (4)
                            Signature Hash Algorithm Signature: ECDSA (3)
                        Signature Hash Algorithm: 0x0503
                            Signature Hash Algorithm Hash: SHA384 (5)
                            Signature Hash Algorithm Signature: ECDSA (3)
                        Signature Hash Algorithm: 0x0603
                            Signature Hash Algorithm Hash: SHA512 (6)
                            Signature Hash Algorithm Signature: ECDSA (3)
                        Signature Hash Algorithm: 0x0303
                            Signature Hash Algorithm Hash: SHA224 (3)
                            Signature Hash Algorithm Signature: ECDSA (3)
                        Signature Hash Algorithm: 0x0203
                            Signature Hash Algorithm Hash: SHA1 (2)
                            Signature Hash Algorithm Signature: ECDSA (3)

    Here's a list of Microsoft References I have found so far, however I am not finding specifically how to enable any of these ciphers in the registry.

    Supported Cipher Suites and Protocols in the Schannel SSP
    https://technet.microsoft.com/en-us/library/dn786419.aspx

    TLS/SSL Settings
    https://technet.microsoft.com/en-us/library/dn786418.aspx?f=255&MSPPError=-2147217396
    Tuesday, July 28, 2015 9:06 PM

Answers

  • Hi,

    To enable or disable cipher suites in SCHANNEL, please follow the link below:

    https://support.microsoft.com/en-us/kb/245030

    Note: These settings only take effects after the rebooting.

    Besides, even the cipher suites are enabled, it depends on the application to determine if it will use these cipher suites.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Wednesday, July 29, 2015 6:22 AM