Table of Contents

Windows Server 2012

Website running on Windows Server 2012 R2.

When testing the website on the SSLLabs you may receive the message below:

"This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B."

SSL Labs

From SSL Labs website:

"Grade will be capped to B, if AEAD suites are not supported. As with forward secrecy, we will not penalize sites if they continue to use non-AEAD suites provided AEAD suites are negotiated with clients that support them."

From <>


Ciphers available on Windows Server 2012 R2


The following cipher suites supports AEAD encryption on Windows Server 2012 R2:







The first 3 ciphers listed above are ECDSA ciphers and need an ECDSA certificate with an ECC public key. If you are using a RSA certificate, those ciphers are not used.


The other 2 ciphers use DHE. If you enable those 2 ciphers on your webserver, the SSLLabs test will cap your grade to B because the default DHE on Windows uses a 1024 bytes key and it will be marked as "weak".

SSLLabs message: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.


To fix it, you can increase the DHE key size to 2048 adding the registry key below:



Using this setting you will have a AEAD cipher that is not classified as "weak" and SSLLabs will give you an A Grade.



Windows 2016

Windows Server 2016 has other cipher suites that support AEAD and don't use DHE.


Ciphers available on Windows Server 2016




IISCrypto is a good tool to set TLS parameters and modify the ciphers used on Windows