Solved

TLS ciphers - how to disable in Windows Registry

Posted on 2014-11-18
3
2,220 Views
Last Modified: 2014-11-23
Hi All,

I need to disable the below ciphers.

TLSv1
      EXP-EDH-RSA-DES-CBC-SHA      Kx=DH(512)     Au=RSA      Enc=DES-CBC(40)          Mac=SHA1   export    
      EXP-DES-CBC-SHA              Kx=RSA(512)    Au=RSA      Enc=DES-CBC(40)          Mac=SHA1   export    
      EXP-RC4-MD5                  Kx=RSA(512)    Au=RSA      Enc=RC4(40)  

I know this should be done from the registry here: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\xxxxx

However I'm not sure what the registry keys should be named to for the above ciphers, could someone help me with this?

Thanks you!
0
Comment
Question by:gman
  • 2
3 Comments
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 40450997
Hi Gary,

A few weeks ago I helped another user with a similar problem here is the link, in this post I point to another link with several steps to solved a similar problem, please also check here
I hope it could help you solve your issues.

Regards
0
 

Author Comment

by:gman
ID: 40452371
Thanks David,

I know how to disable the ciphers however I'm unsure of the naming conversion for the registry keys. I ran the tool you suggested 'SSLSmart' would the key's just be named the same as the cipher name. See screen.

SSL Scan result
0
 
LVL 12

Accepted Solution

by:
David Paris Vicente earned 500 total points
ID: 40454855
Hi,

You will need to create for each cypher a reg key.
Like this
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
 "Enabled"=dword:00000000

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
 "Enabled"=dword:00000000

For a better understanding I Advise you to check this KB I also advise you to make a backup of the registry, because as you should know this can affect your OS.

And  run the tests again

I hope it helps you.

Regards
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now