locked
SSL with 256bit Strength RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We have TMG 2010 and publish a Website with SSL. The Certificate supports 128bit up to 256 bit encryption. How can we force to use 256bit only?

    Mark

    Thursday, August 4, 2011 10:06 AM

Answers

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

     

    Thank you for the post.

     

    In order to get IIS7 to do 256 bit encryption, we have to ensure the cipher suit that is listed first is the following: TLS_RSA_WITH_AES_256_CBC_SHA

     

    In order to change the Cipher Suite order we can do the following:

    - Run gpedit.msc from the command line

    - within the Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Network.

    - Under Network, select SSL Configuration and then double click on SSL Cipher Suite Order

    - By Default the SSL Cipher Suite Order is set to "Not Configured"

    - To enable 256-bit encryption, select the "enabled" radio button

    - Within the SSL Cipher Suites text box, remove TLS_RSA_WITH_AES_128_CBC_SHA or at least place it behind TLS_RSA_WITH_AES_256_CBC_SHA.

     

    TLS_RSA_WITH_AES_256_CBC_SHA has to be the first cpiher suite listed in order for us to connect with 256-bith encryption.

     

    Once the steps above have been completed, restart the server for the changes to take effect. Now we can browse a page served on the IIS7 server and confirm it is using 256 bit encryption. To do this, right click on the page, select properties and you should see the following:

    TLS 1.0, AES with 256 bit encryption (High); RSA with 1024 bit exchange

     

    Regards,
    Nick Gu - MSFT
    Friday, August 5, 2011 8:20 AM
    Moderator

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi,

     

    Thank you for the post.

     

    In order to get IIS7 to do 256 bit encryption, we have to ensure the cipher suit that is listed first is the following: TLS_RSA_WITH_AES_256_CBC_SHA

     

    In order to change the Cipher Suite order we can do the following:

    - Run gpedit.msc from the command line

    - within the Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Network.

    - Under Network, select SSL Configuration and then double click on SSL Cipher Suite Order

    - By Default the SSL Cipher Suite Order is set to "Not Configured"

    - To enable 256-bit encryption, select the "enabled" radio button

    - Within the SSL Cipher Suites text box, remove TLS_RSA_WITH_AES_128_CBC_SHA or at least place it behind TLS_RSA_WITH_AES_256_CBC_SHA.

     

    TLS_RSA_WITH_AES_256_CBC_SHA has to be the first cpiher suite listed in order for us to connect with 256-bith encryption.

     

    Once the steps above have been completed, restart the server for the changes to take effect. Now we can browse a page served on the IIS7 server and confirm it is using 256 bit encryption. To do this, right click on the page, select properties and you should see the following:

    TLS 1.0, AES with 256 bit encryption (High); RSA with 1024 bit exchange

     

    Regards,
    Nick Gu - MSFT
    Friday, August 5, 2011 8:20 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi!

    I am also having the same issue. I have already done as suggested in this thread.

    I have installed godaddy.com Wildcard SSL certificate in a Server which is in a datacenter. The Server is Windows 2008 R2 with Service Pack 1 and running IIS7.5
    I am trying to make it 256 bit SSL. I have applied all suggestions given in the following guide
    http://derek858.blogspot.in/2010/06/enable-tls-12-aes-256-and-sha-256-in.html
    But it's still showing 128 bit SSL in my sites https://admin.chatware.com  & https://service11.chatware.com

    Please help!

    Asim Chandra

    Friday, February 10, 2012 12:37 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    It would appear that following this change on windows server 2012, that remote desktop fails to self sign its' certs and you can no longer RDP into a machine.

    Friday, July 12, 2013 2:39 AM