Solved

How to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on Windows server 2003 SP2 client

Posted on 2014-12-16
3
1,807 Views
Last Modified: 2015-01-12
Hi @ll,

I'm trying to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on the windows 2003 server.
The server is acting as client connecting to LDAP server for auth.

I tried to use IIS Crypto or modifying Registry but no luck with that.
the AES 256/256 reg key has the DWORD Enabled = 0x0 value but cipher is still offered during the TLSv1 handshake.

TLSv1 Client Hello

Any thoughts?
thank you in advance!
0
Comment
Question by:TegRND
  • 2
3 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40502720
Looks like this crypto comes from the hotfix stated in http://support.microsoft.com/kb/948963
wondering if uninstall the hotfix can remove it , at least another better mean of "disable"

I supposed you have seen this schannel disabling in Windows 2008 (even though it is not 2003) - I supposed it did not work as stated... http://support.microsoft.com/kb/245030
..and if intent is to also disable SHA then you may want to see
SHA

This registry key refers to Secure Hash Algorithm (SHA-1), as specified in FIPS 180-1. Its implementation in the Rsabase.dll and Rsaenh.dll files is validated under the FIPS 140-1 Cryptographic Module Validation Program.

To allow this hashing algorithm, change the DWORD value data of the Enabled value to the default value 0xffffffff. Otherwise, change the DWORD value data to 0x0.

Disabling this algorithm effectively disallows the following:
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
0
 

Author Comment

by:TegRND
ID: 40502735
Thanks for the suggestion,
unfortunately the remote LDAP server is supporting very limited set of ciphers,
and specifically only:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

2.png

so i was wondering if i could disable one of them...
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40503896
in fact CBC and SHA are already not recommended (also due to BEAST vulnerability in 2012), so strictly speaking both are not as good. The CBC is the target that should be disabled. First off is have sslv3 disabled and looks like you already that done in capture. Primarily also to avert the POODLE vulnerability in 2014 which latest mentioned also affect TLS1.2.  

As already mentioned, TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA are made available in Windows 2k3 by installing the hotfix from KB 948963. so if that is removed, rightfully the cipher should be removed.

Strange there is only these two ciphers...since you used ssltest, i suggest you read this on "SSL/TLS Deployment Best Practices" which stated which to be disable from the same company supporting ssltest.
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now