How to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on Windows server 2003 SP2 client

Hi @ll,

I'm trying to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on the windows 2003 server.
The server is acting as client connecting to LDAP server for auth.

I tried to use IIS Crypto or modifying Registry but no luck with that.
the AES 256/256 reg key has the DWORD Enabled = 0x0 value but cipher is still offered during the TLSv1 handshake.

TLSv1 Client Hello

Any thoughts?
thank you in advance!
TegRNDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Looks like this crypto comes from the hotfix stated in http://support.microsoft.com/kb/948963
wondering if uninstall the hotfix can remove it , at least another better mean of "disable"

I supposed you have seen this schannel disabling in Windows 2008 (even though it is not 2003) - I supposed it did not work as stated... http://support.microsoft.com/kb/245030
..and if intent is to also disable SHA then you may want to see
SHA

This registry key refers to Secure Hash Algorithm (SHA-1), as specified in FIPS 180-1. Its implementation in the Rsabase.dll and Rsaenh.dll files is validated under the FIPS 140-1 Cryptographic Module Validation Program.

To allow this hashing algorithm, change the DWORD value data of the Enabled value to the default value 0xffffffff. Otherwise, change the DWORD value data to 0x0.

Disabling this algorithm effectively disallows the following:
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
0
TegRNDAuthor Commented:
Thanks for the suggestion,
unfortunately the remote LDAP server is supporting very limited set of ciphers,
and specifically only:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

2.png

so i was wondering if i could disable one of them...
0
btanExec ConsultantCommented:
in fact CBC and SHA are already not recommended (also due to BEAST vulnerability in 2012), so strictly speaking both are not as good. The CBC is the target that should be disabled. First off is have sslv3 disabled and looks like you already that done in capture. Primarily also to avert the POODLE vulnerability in 2014 which latest mentioned also affect TLS1.2.  

As already mentioned, TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA are made available in Windows 2k3 by installing the hotfix from KB 948963. so if that is removed, rightfully the cipher should be removed.

Strange there is only these two ciphers...since you used ssltest, i suggest you read this on "SSL/TLS Deployment Best Practices" which stated which to be disable from the same company supporting ssltest.
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.