none
SSL with 256bit Strength RRS feed

  • Question

  • We have TMG 2010 and publish a Website with SSL. The Certificate supports 128bit up to 256 bit encryption. How can we force to use 256bit only?

    Mark

    Thursday, August 4, 2011 10:06 AM

Answers

  • Hi,

     

    Thank you for the post.

     

    In order to get IIS7 to do 256 bit encryption, we have to ensure the cipher suit that is listed first is the following: TLS_RSA_WITH_AES_256_CBC_SHA

     

    In order to change the Cipher Suite order we can do the following:

    - Run gpedit.msc from the command line

    - within the Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Network.

    - Under Network, select SSL Configuration and then double click on SSL Cipher Suite Order

    - By Default the SSL Cipher Suite Order is set to "Not Configured"

    - To enable 256-bit encryption, select the "enabled" radio button

    - Within the SSL Cipher Suites text box, remove TLS_RSA_WITH_AES_128_CBC_SHA or at least place it behind TLS_RSA_WITH_AES_256_CBC_SHA.

     

    TLS_RSA_WITH_AES_256_CBC_SHA has to be the first cpiher suite listed in order for us to connect with 256-bith encryption.

     

    Once the steps above have been completed, restart the server for the changes to take effect. Now we can browse a page served on the IIS7 server and confirm it is using 256 bit encryption. To do this, right click on the page, select properties and you should see the following:

    TLS 1.0, AES with 256 bit encryption (High); RSA with 1024 bit exchange

     

    Regards,
    Nick Gu - MSFT
    Friday, August 5, 2011 8:20 AM
    Moderator

All replies

  • Hi,

     

    Thank you for the post.

     

    In order to get IIS7 to do 256 bit encryption, we have to ensure the cipher suit that is listed first is the following: TLS_RSA_WITH_AES_256_CBC_SHA

     

    In order to change the Cipher Suite order we can do the following:

    - Run gpedit.msc from the command line

    - within the Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Network.

    - Under Network, select SSL Configuration and then double click on SSL Cipher Suite Order

    - By Default the SSL Cipher Suite Order is set to "Not Configured"

    - To enable 256-bit encryption, select the "enabled" radio button

    - Within the SSL Cipher Suites text box, remove TLS_RSA_WITH_AES_128_CBC_SHA or at least place it behind TLS_RSA_WITH_AES_256_CBC_SHA.

     

    TLS_RSA_WITH_AES_256_CBC_SHA has to be the first cpiher suite listed in order for us to connect with 256-bith encryption.

     

    Once the steps above have been completed, restart the server for the changes to take effect. Now we can browse a page served on the IIS7 server and confirm it is using 256 bit encryption. To do this, right click on the page, select properties and you should see the following:

    TLS 1.0, AES with 256 bit encryption (High); RSA with 1024 bit exchange

     

    Regards,
    Nick Gu - MSFT
    Friday, August 5, 2011 8:20 AM
    Moderator
  • Hi!

    I am also having the same issue. I have already done as suggested in this thread.

    I have installed godaddy.com Wildcard SSL certificate in a Server which is in a datacenter. The Server is Windows 2008 R2 with Service Pack 1 and running IIS7.5
    I am trying to make it 256 bit SSL. I have applied all suggestions given in the following guide
    http://derek858.blogspot.in/2010/06/enable-tls-12-aes-256-and-sha-256-in.html
    But it's still showing 128 bit SSL in my sites https://admin.chatware.com  & https://service11.chatware.com

    Please help!

    Asim Chandra

    Friday, February 10, 2012 12:37 PM
  • It would appear that following this change on windows server 2012, that remote desktop fails to self sign its' certs and you can no longer RDP into a machine.

    Friday, July 12, 2013 2:39 AM