Avatar of Kishore M
Kishore M
 asked on

SSL Server test

HI All,
I am using Windows server 2012 R2 standard and hosted for the Gateway server. I ran IIS crypto as well , but still overall rating as " B " only.

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128


Can any one help on this.
ExchangeWindows OSWindows Server 2012SSL / HTTPS

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
Patrick Bogers

Hi

can you printscreen the iiscrypto settings?

Cheers
SOLUTION
Kishore M

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Patrick Bogers

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Kishore M

ASKER
Hi , I have tried the same steps unselect all tls-dhe ciphers in Cipher suites and in schannel unselect tls1 and 1.1, sha and diffie helman.

Still no luck , I am getting B grade only.
 
I am using Windows 2012 R2 standard Operating system.

Signature algorithm is SHA256withRSA


TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128
Patrick Bogers

After the changes, did you reboot the server?
Your help has saved me hundreds of hours of internet surfing.
fblack61
Kishore M

ASKER
Rebooted the server as well..
SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Kishore M

ASKER
Hi, you have given a best solution , but not sure IIS Crypto settings are not making any changes.so still getting B grade only.
btan

It may be some apps but if after rebooting the machine and the DH 1024 or TLS 1.0/1 still exist from reading from iiscrypto then A may not be achievable. Maybe useful if you can share the finding so that we understand the B is due to what reason based on the online findings it stated
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
btan

Pls kind advice any further queries. thanks
Kishore M

ASKER
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK  256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK  128

Facing issue with these two above keys.. Can you please help me out.
ASKER CERTIFIED SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Kishore M

ASKER
Hi All,

Thanks for the support,  below suggestion is helped to resolve the issue.

Disconnect nic cable, reboot, login as local administrator CHECK RSOP and run iiscrypto.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
btan

Thanks for sharing and you may proceed to close the question if there are no further queries
btan

As per advice given