Using the as-a-service approach for your business model allows you to grow your revenue stream with new practice areas, without forcing you to part ways with existing clients just because they don’t fit the mold of your new service offerings.
SSL Server test
HI All,
I am using Windows server 2012 R2 standard and hosted for the Gateway server. I ran IIS crypto as well , but still overall rating as " B " only.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
TLS_DHE_RSA_WITH_AES_256_G
256
TLS_DHE_RSA_WITH_AES_128_G
128
Can any one help on this.
I am using Windows server 2012 R2 standard and hosted for the Gateway server. I ran IIS crypto as well , but still overall rating as " B " only.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B
TLS_DHE_RSA_WITH_AES_256_G
256
TLS_DHE_RSA_WITH_AES_128_G
128
Can any one help on this.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Hi , attached the Cipher suites & SChannel settings from IIS crypto.
Cipher-settings1.JPG
Cipher-settings2.JPG
SChannel-settings.JPG
Cipher-settings1.JPG
Cipher-settings2.JPG
SChannel-settings.JPG
Hi
I would disable tls-dhe ciphers and in schannel unselect tls1 and 1.1, sha and diffie helman.
That should bring a A rating.
Cheers
I would disable tls-dhe ciphers and in schannel unselect tls1 and 1.1, sha and diffie helman.
That should bring a A rating.
Cheers
Hi , I have tried the same steps unselect all tls-dhe ciphers in Cipher suites and in schannel unselect tls1 and 1.1, sha and diffie helman.
Still no luck , I am getting B grade only.
I am using Windows 2012 R2 standard Operating system.
Signature algorithm is SHA256withRSA
TLS_DHE_RSA_WITH_AES_256_G
256
TLS_DHE_RSA_WITH_AES_128_G
128
Still no luck , I am getting B grade only.
I am using Windows 2012 R2 standard Operating system.
Signature algorithm is SHA256withRSA
TLS_DHE_RSA_WITH_AES_256_G
256
TLS_DHE_RSA_WITH_AES_128_G
128
Do check out this site ("Guide to Deploying Diffie-Hellman for TLS") for admin as it is pertaining to past weak cipher for DH discovered. https://weakdh.org/sysadmin.html
Disable Diffie-Hellman under Key Exchanges Enabled
Disable Diffie-Hellman under Key Exchanges Enabled
1. Use IISCrypto to apply the “Best Practices” Template 2. Disable TLS 1.0 (Assuming SQL is not on the server or these updates have been applied and RDS/RDWeb is not deployed)http://robwillis.info/2015/10/hardening-ssl-tls-connections-on-windows-server-2008-r2-2012-r2/
3. Disable MD5 under Hashes enabled
4. Disable Diffie-Hellman under Key Exchanges Enabled
5. Apply and reboot
Hi, you have given a best solution , but not sure IIS Crypto settings are not making any changes.so still getting B grade only.
It may be some apps but if after rebooting the machine and the DH 1024 or TLS 1.0/1 still exist from reading from iiscrypto then A may not be achievable. Maybe useful if you can share the finding so that we understand the B is due to what reason based on the online findings it stated
TLS_DHE_RSA_WITH_AES_256_G
TLS_DHE_RSA_WITH_AES_128_G
Facing issue with these two above keys.. Can you please help me out.
TLS_DHE_RSA_WITH_AES_128_G
Facing issue with these two above keys.. Can you please help me out.
if you can't use 2048-bit (or larger) DH parameters (and generate new parameters on a regular basis), you should probably disable DHE.
the grade should be capped to B unless they support ECDHE_ECDSA_WITH_AES_128_G
the grade should be capped to B unless they support ECDHE_ECDSA_WITH_AES_128_G
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Hi All,
Thanks for the support, below suggestion is helped to resolve the issue.
Disconnect nic cable, reboot, login as local administrator CHECK RSOP and run iiscrypto.
Thanks for the support, below suggestion is helped to resolve the issue.
Disconnect nic cable, reboot, login as local administrator CHECK RSOP and run iiscrypto.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: IC3 GS4 Internet Core Competency Global Standard 4… 135 lessons
-
Microsoft ApplicationsCertification: MCP MCSA Microsoft Certified Partner & Solutions Ass… 377 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
can you printscreen the iiscrypto settings?
Cheers