Menu
My question is simple. My server's operating system is Windows Server 2012 r2 and all updates were made on it.
When I run the iiscrypto I couldn't find TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suite. To find this, should I use Windows server 2016 or is there another way to get it?
431
If you go to a secure website or service using Chrome you can see which cipher suite was negotiated. Any HTTPS site will give you this information. At the top of the developer tools window, you will see a tab called security. Click it.
To add cipher suites, either deploy a group policy or use the TLS cmdlets: To use group policy, configure SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all cipher suites you want enabled.
Each segment in a cipher suite name stands for a different algorithm or protocol. An example of a cipher suite name: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. The meaning of this name is: TLS defines the protocol that this cipher suite is for; it will usually be TLS. ECDHE indicates the key exchange algorithm being used.
TLS_AES_256_GCM_SHA384. Essentially, this SSL cipher suite now includes only two elements: an encryption algorithm and a hashing algorithm. The key exchange takes place through the Diffie-Hellman algorithm, as RSA is eliminated entirely.
We found that updated windows might support some of the latest ciphers. So yesterday we tried the same from our windows 2012 R2 machine and even though we send about 24 cipher suites in our 'Client Hello' call as seen in Wireshark, nothing matches the 3 the client has enabled in their machine.
Show activity on this post. AES-GCM is about how you encrypt the data in your connexion, EC-DSA or RSA about how the server identifies itself to the client. There is therefore no reason why you couldn't do AES-GCM encryption with a RSA authentication.
Depending on the certificate, GCM cipher is offered by the server or not. With self-signed ECDSA certificate i got GCM to work but older browsers or Windows XP can't connect to such a https-site.
Microsoft has a docs page that lists all the Windows versions and their cipher suites. First server version to support this cipher suite is indeed Windows Server 2016. Share Follow answered Feb 11 '18 at 12:06 jessehouwingjessehouwing 92.7k1919 gold badges228228 silver badges302302 bronze badges 2 3
Microsoft has a docs page that lists all the Windows versions and their cipher suites.
First server version to support this cipher suite is indeed Windows Server 2016.
84
Unfortunately Windows 2012 Server doesn't support tls-ecdhe-rsa-with-aes-256-gcm-sha384 or 256/128 Ciphers.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
