Link to home
Start Free TrialLog in
Avatar of Kishore M
Kishore M

asked on

SSL Server test

HI All,
I am using Windows server 2012 R2 standard and hosted for the Gateway server. I ran IIS crypto as well , but still overall rating as " B " only.

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128


Can any one help on this.
Avatar of Patrick Bogers
Patrick Bogers
Flag of Netherlands image

Hi

can you printscreen the iiscrypto settings?

Cheers
SOLUTION
Avatar of Kishore M
Kishore M

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Kishore M
Kishore M

ASKER

Hi , I have tried the same steps unselect all tls-dhe ciphers in Cipher suites and in schannel unselect tls1 and 1.1, sha and diffie helman.

Still no luck , I am getting B grade only.
 
I am using Windows 2012 R2 standard Operating system.

Signature algorithm is SHA256withRSA


TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128
After the changes, did you reboot the server?
Rebooted the server as well..
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi, you have given a best solution , but not sure IIS Crypto settings are not making any changes.so still getting B grade only.
It may be some apps but if after rebooting the machine and the DH 1024 or TLS 1.0/1 still exist from reading from iiscrypto then A may not be achievable. Maybe useful if you can share the finding so that we understand the B is due to what reason based on the online findings it stated
Pls kind advice any further queries. thanks
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK  256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK  128

Facing issue with these two above keys.. Can you please help me out.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi All,

Thanks for the support,  below suggestion is helped to resolve the issue.

Disconnect nic cable, reboot, login as local administrator CHECK RSOP and run iiscrypto.
Thanks for sharing and you may proceed to close the question if there are no further queries
As per advice given