W2012 How to turn off TLS_RSA_WITH_3DES_EDE_CBC_SHA

Question

My PCI scans are failing on my win 2012 R2 server because of this.

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1

They told me it was this one DES-CBC3-SHA I believe Microsoft refers to it as TLS_RSA_WITH_3DES_EDE_CBC_SHA

I would prefer to turn this off using the registry. Anyone know how? Thanks.

Answer 1

I figured it out. On win 2012 r2 all you have to do is add this reg key. It takes effect immediately. REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] "Enabled"=dword:00000000

I verified it works using: https://www.ssllabs.com/ssltest/analyze.html