How to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on Windows server 2003 SP2 client

Hi @ll,

I'm trying to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on the windows 2003 server.
The server is acting as client connecting to LDAP server for auth.

I tried to use IIS Crypto or modifying Registry but no luck with that.
the AES 256/256 reg key has the DWORD Enabled = 0x0 value but cipher is still offered during the TLSv1 handshake.

TLSv1 Client Hello

Any thoughts?
thank you in advance!
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
in fact CBC and SHA are already not recommended (also due to BEAST vulnerability in 2012), so strictly speaking both are not as good. The CBC is the target that should be disabled. First off is have sslv3 disabled and looks like you already that done in capture. Primarily also to avert the POODLE vulnerability in 2014 which latest mentioned also affect TLS1.2.  

As already mentioned, TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA are made available in Windows 2k3 by installing the hotfix from KB 948963. so if that is removed, rightfully the cipher should be removed.

Strange there is only these two ciphers...since you used ssltest, i suggest you read this on "SSL/TLS Deployment Best Practices" which stated which to be disable from the same company supporting ssltest.
btanExec ConsultantCommented:
Looks like this crypto comes from the hotfix stated in
wondering if uninstall the hotfix can remove it , at least another better mean of "disable"

I supposed you have seen this schannel disabling in Windows 2008 (even though it is not 2003) - I supposed it did not work as stated...
..and if intent is to also disable SHA then you may want to see

This registry key refers to Secure Hash Algorithm (SHA-1), as specified in FIPS 180-1. Its implementation in the Rsabase.dll and Rsaenh.dll files is validated under the FIPS 140-1 Cryptographic Module Validation Program.

To allow this hashing algorithm, change the DWORD value data of the Enabled value to the default value 0xffffffff. Otherwise, change the DWORD value data to 0x0.

Disabling this algorithm effectively disallows the following:
TegRNDAuthor Commented:
Thanks for the suggestion,
unfortunately the remote LDAP server is supporting very limited set of ciphers,
and specifically only:


so i was wondering if i could disable one of them...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.