TLS ciphers - how to disable in Windows Registry

Hi All,

I need to disable the below ciphers.

TLSv1
      EXP-EDH-RSA-DES-CBC-SHA      Kx=DH(512)     Au=RSA      Enc=DES-CBC(40)          Mac=SHA1   export    
      EXP-DES-CBC-SHA              Kx=RSA(512)    Au=RSA      Enc=DES-CBC(40)          Mac=SHA1   export    
      EXP-RC4-MD5                  Kx=RSA(512)    Au=RSA      Enc=RC4(40)  

I know this should be done from the registry here: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\xxxxx

However I'm not sure what the registry keys should be named to for the above ciphers, could someone help me with this?

Thanks you!
gmanInfrastructure Engineer Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Paris VicenteSystems and Comunications  Administrator Commented:
Hi Gary,

A few weeks ago I helped another user with a similar problem here is the link, in this post I point to another link with several steps to solved a similar problem, please also check here
I hope it could help you solve your issues.

Regards
0
gmanInfrastructure Engineer Author Commented:
Thanks David,

I know how to disable the ciphers however I'm unsure of the naming conversion for the registry keys. I ran the tool you suggested 'SSLSmart' would the key's just be named the same as the cipher name. See screen.

SSL Scan result
0
David Paris VicenteSystems and Comunications  Administrator Commented:
Hi,

You will need to create for each cypher a reg key.
Like this
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
 "Enabled"=dword:00000000

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
 "Enabled"=dword:00000000

For a better understanding I Advise you to check this KB I also advise you to make a backup of the registry, because as you should know this can affect your OS.

And  run the tests again

I hope it helps you.

Regards
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.