My PCI scans are failing on my win 2012 R2 server because of this.
Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
They told me it was this one DES-CBC3-SHA I believe Microsoft refers to it as TLS_RSA_WITH_3DES_EDE_CBC_SHA
I would prefer to turn this off using the registry. Anyone know how? Thanks.
I figured it out. On win 2012 r2 all you have to do is add this reg key. It takes effect immediately. REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] "Enabled"=dword:00000000
I verified it works using: https://www.ssllabs.com/ssltest/analyze.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With