[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on Windows server 2003 SP2 client

Posted on 2014-12-16
3
Medium Priority
?
2,545 Views
Last Modified: 2015-01-12
Hi @ll,

I'm trying to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on the windows 2003 server.
The server is acting as client connecting to LDAP server for auth.

I tried to use IIS Crypto or modifying Registry but no luck with that.
the AES 256/256 reg key has the DWORD Enabled = 0x0 value but cipher is still offered during the TLSv1 handshake.

TLSv1 Client Hello

Any thoughts?
thank you in advance!
0
Comment
Question by:TegRND
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 65

Expert Comment

by:btan
ID: 40502720
Looks like this crypto comes from the hotfix stated in http://support.microsoft.com/kb/948963
wondering if uninstall the hotfix can remove it , at least another better mean of "disable"

I supposed you have seen this schannel disabling in Windows 2008 (even though it is not 2003) - I supposed it did not work as stated... http://support.microsoft.com/kb/245030
..and if intent is to also disable SHA then you may want to see
SHA

This registry key refers to Secure Hash Algorithm (SHA-1), as specified in FIPS 180-1. Its implementation in the Rsabase.dll and Rsaenh.dll files is validated under the FIPS 140-1 Cryptographic Module Validation Program.

To allow this hashing algorithm, change the DWORD value data of the Enabled value to the default value 0xffffffff. Otherwise, change the DWORD value data to 0x0.

Disabling this algorithm effectively disallows the following:
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
0
 

Author Comment

by:TegRND
ID: 40502735
Thanks for the suggestion,
unfortunately the remote LDAP server is supporting very limited set of ciphers,
and specifically only:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

2.png

so i was wondering if i could disable one of them...
0
 
LVL 65

Accepted Solution

by:
btan earned 1500 total points
ID: 40503896
in fact CBC and SHA are already not recommended (also due to BEAST vulnerability in 2012), so strictly speaking both are not as good. The CBC is the target that should be disabled. First off is have sslv3 disabled and looks like you already that done in capture. Primarily also to avert the POODLE vulnerability in 2014 which latest mentioned also affect TLS1.2.  

As already mentioned, TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA are made available in Windows 2k3 by installing the hotfix from KB 948963. so if that is removed, rightfully the cipher should be removed.

Strange there is only these two ciphers...since you used ssltest, i suggest you read this on "SSL/TLS Deployment Best Practices" which stated which to be disable from the same company supporting ssltest.
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question