Solved

How to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on Windows server 2003 SP2 client

Posted on 2014-12-16
3
1,971 Views
Last Modified: 2015-01-12
Hi @ll,

I'm trying to disable TLS_RSA_WITH_AES_256_CBC_SHA cipher on the windows 2003 server.
The server is acting as client connecting to LDAP server for auth.

I tried to use IIS Crypto or modifying Registry but no luck with that.
the AES 256/256 reg key has the DWORD Enabled = 0x0 value but cipher is still offered during the TLSv1 handshake.

TLSv1 Client Hello

Any thoughts?
thank you in advance!
0
Comment
Question by:TegRND
  • 2
3 Comments
 
LVL 62

Expert Comment

by:btan
ID: 40502720
Looks like this crypto comes from the hotfix stated in http://support.microsoft.com/kb/948963
wondering if uninstall the hotfix can remove it , at least another better mean of "disable"

I supposed you have seen this schannel disabling in Windows 2008 (even though it is not 2003) - I supposed it did not work as stated... http://support.microsoft.com/kb/245030
..and if intent is to also disable SHA then you may want to see
SHA

This registry key refers to Secure Hash Algorithm (SHA-1), as specified in FIPS 180-1. Its implementation in the Rsabase.dll and Rsaenh.dll files is validated under the FIPS 140-1 Cryptographic Module Validation Program.

To allow this hashing algorithm, change the DWORD value data of the Enabled value to the default value 0xffffffff. Otherwise, change the DWORD value data to 0x0.

Disabling this algorithm effectively disallows the following:
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
0
 

Author Comment

by:TegRND
ID: 40502735
Thanks for the suggestion,
unfortunately the remote LDAP server is supporting very limited set of ciphers,
and specifically only:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA

2.png

so i was wondering if i could disable one of them...
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40503896
in fact CBC and SHA are already not recommended (also due to BEAST vulnerability in 2012), so strictly speaking both are not as good. The CBC is the target that should be disabled. First off is have sslv3 disabled and looks like you already that done in capture. Primarily also to avert the POODLE vulnerability in 2014 which latest mentioned also affect TLS1.2.  

As already mentioned, TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA are made available in Windows 2k3 by installing the hotfix from KB 948963. so if that is removed, rightfully the cipher should be removed.

Strange there is only these two ciphers...since you used ssltest, i suggest you read this on "SSL/TLS Deployment Best Practices" which stated which to be disable from the same company supporting ssltest.
https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question