locked
How do I add new cipher suites(listed below) to Windows 2012 R2 and Windows 2008 R2? RRS feed

  • Question

  • I have a client that has enabled below 3 ciphers in their machine

    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    We were initially hitting the endpoint on the above machine via a 2008 R2 machine. Through Wireshark, I found out that we were having a handshake failure because the 3 they mentioned above didn't match with the 19 suites we send across to them in our 'Client Hello'. We found that updated windows might support some of the latest ciphers.

    So yesterday we tried the same from our windows 2012 R2 machine and even though we send about 24 cipher suites in our 'Client Hello' call as seen in Wireshark, nothing matches the 3 the client has enabled in their machine. I went through the supported ciphers mentioned in MS Docs for 2008R2 and 2012R2 and I couldn't find the above 3. Doc was last updated in 2018. I also confirmed the same but checking the list provided in 'SSL Configuration settings' in both the servers. The 3 were not in the list in the settings window.

    How can I add/enable these 3 ciphers in 2008 R2 and 2012 R2?

    Update:
    I found in some forums that it these are supported from server 2016 onwards only. Is there no way to get these 3 enabled in 2012 if not 2008?

    • Edited by Aswin Francis Wednesday, April 29, 2020 7:45 AM updated with new found info
    Wednesday, April 29, 2020 7:19 AM

All replies

  • Hello,

    Thank you for posting in our TechNet forum.

    According to your description, you want to add three new ciphers in the serber 2008R2 and 2012.

    I did a lot of research and I think that these three ciphers has not been supported in 2008R2 and 2012. I suggest that you could choose other ciphers for these two machines.

    Thanks for your understanding

    Jolin

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 30, 2020 7:08 AM
  • Good day!
     
    As we haven’t heard from you for a few days, may I confirm with you on the latest status?
     
    Much appreciated for your response in advance.

    Jolin

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 4, 2020 3:14 AM
  • Believe you are doing well.

    This is a kind follow up on this case. May I know the latest status?

    Thanks and looking forward to your reply

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 7, 2020 5:40 AM