Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
SSL Server test
HI All,
I am using Windows server 2012 R2 standard and hosted for the Gateway server. I ran IIS crypto as well , but still overall rating as " B " only.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
TLS_DHE_RSA_WITH_AES_256_G
256
TLS_DHE_RSA_WITH_AES_128_G
128
Can any one help on this.
I am using Windows server 2012 R2 standard and hosted for the Gateway server. I ran IIS crypto as well , but still overall rating as " B " only.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
TLS_DHE_RSA_WITH_AES_256_G
256
TLS_DHE_RSA_WITH_AES_128_G
128
Can any one help on this.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hi , attached the Cipher suites & SChannel settings from IIS crypto.
Cipher-settings1.JPG
Cipher-settings2.JPG
SChannel-settings.JPG
Cipher-settings1.JPG
Cipher-settings2.JPG
SChannel-settings.JPG
Hi
I would disable tls-dhe ciphers and in schannel unselect tls1 and 1.1, sha and diffie helman.
That should bring a A rating.
Cheers
I would disable tls-dhe ciphers and in schannel unselect tls1 and 1.1, sha and diffie helman.
That should bring a A rating.
Cheers
Hi , I have tried the same steps unselect all tls-dhe ciphers in Cipher suites and in schannel unselect tls1 and 1.1, sha and diffie helman.
Still no luck , I am getting B grade only.
I am using Windows 2012 R2 standard Operating system.
Signature algorithm is SHA256withRSA
TLS_DHE_RSA_WITH_AES_256_G
256
TLS_DHE_RSA_WITH_AES_128_G
128
Still no luck , I am getting B grade only.
I am using Windows 2012 R2 standard Operating system.
Signature algorithm is SHA256withRSA
TLS_DHE_RSA_WITH_AES_256_G
256
TLS_DHE_RSA_WITH_AES_128_G
128
Do check out this site ("Guide to Deploying Diffie-Hellman for TLS") for admin as it is pertaining to past weak cipher for DH discovered. https://weakdh.org/sysadmin.html
Disable Diffie-Hellman under Key Exchanges Enabled
Disable Diffie-Hellman under Key Exchanges Enabled
1. Use IISCrypto to apply the “Best Practices” Template 2. Disable TLS 1.0 (Assuming SQL is not on the server or these updates have been applied and RDS/RDWeb is not deployed)http://robwillis.info/2015/10/hardening-ssl-tls-connections-on-windows-server-2008-r2-2012-r2/
3. Disable MD5 under Hashes enabled
4. Disable Diffie-Hellman under Key Exchanges Enabled
5. Apply and reboot
Hi, you have given a best solution , but not sure IIS Crypto settings are not making any changes.so still getting B grade only.
It may be some apps but if after rebooting the machine and the DH 1024 or TLS 1.0/1 still exist from reading from iiscrypto then A may not be achievable. Maybe useful if you can share the finding so that we understand the B is due to what reason based on the online findings it stated
TLS_DHE_RSA_WITH_AES_256_G
TLS_DHE_RSA_WITH_AES_128_G
Facing issue with these two above keys.. Can you please help me out.
TLS_DHE_RSA_WITH_AES_128_G
Facing issue with these two above keys.. Can you please help me out.
if you can't use 2048-bit (or larger) DH parameters (and generate new parameters on a regular basis), you should probably disable DHE.
the grade should be capped to B unless they support ECDHE_ECDSA_WITH_AES_128_G
the grade should be capped to B unless they support ECDHE_ECDSA_WITH_AES_128_G
Premium Content
You need an Expert Office subscription to comment.Start Free Trial