?
Solved

TLS ciphers - how to disable in Windows Registry

Posted on 2014-11-18
3
Medium Priority
?
4,391 Views
Last Modified: 2014-11-23
Hi All,

I need to disable the below ciphers.

TLSv1
      EXP-EDH-RSA-DES-CBC-SHA      Kx=DH(512)     Au=RSA      Enc=DES-CBC(40)          Mac=SHA1   export    
      EXP-DES-CBC-SHA              Kx=RSA(512)    Au=RSA      Enc=DES-CBC(40)          Mac=SHA1   export    
      EXP-RC4-MD5                  Kx=RSA(512)    Au=RSA      Enc=RC4(40)  

I know this should be done from the registry here: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\xxxxx

However I'm not sure what the registry keys should be named to for the above ciphers, could someone help me with this?

Thanks you!
0
Comment
Question by:gman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 40450997
Hi Gary,

A few weeks ago I helped another user with a similar problem here is the link, in this post I point to another link with several steps to solved a similar problem, please also check here
I hope it could help you solve your issues.

Regards
0
 

Author Comment

by:gman
ID: 40452371
Thanks David,

I know how to disable the ciphers however I'm unsure of the naming conversion for the registry keys. I ran the tool you suggested 'SSLSmart' would the key's just be named the same as the cipher name. See screen.

SSL Scan result
0
 
LVL 12

Accepted Solution

by:
David Paris Vicente earned 1500 total points
ID: 40454855
Hi,

You will need to create for each cypher a reg key.
Like this
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
 "Enabled"=dword:00000000

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
 "Enabled"=dword:00000000

For a better understanding I Advise you to check this KB I also advise you to make a backup of the registry, because as you should know this can affect your OS.

And  run the tests again

I hope it helps you.

Regards
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question