We help IT Professionals succeed at work.

SSL Server test

Kishore M
Kishore M asked
on
15 Comments
4 Solutions
461 Views
Last Modified: 2017-05-29
HI All,
I am using Windows server 2012 R2 standard and hosted for the Gateway server. I ran IIS crypto as well , but still overall rating as " B " only.

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128


Can any one help on this.
Comment
Watch Question

View Solutions Only

Patrick BogersDatacenter platform engineer Lindows
CERTIFIED EXPERT

Commented:
Hi

can you printscreen the iiscrypto settings?

Cheers
Kishore M
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Patrick BogersDatacenter platform engineer Lindows
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Kishore M

Author

Commented:
Hi , I have tried the same steps unselect all tls-dhe ciphers in Cipher suites and in schannel unselect tls1 and 1.1, sha and diffie helman.

Still no luck , I am getting B grade only.
 
I am using Windows 2012 R2 standard Operating system.

Signature algorithm is SHA256withRSA


TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128
Patrick BogersDatacenter platform engineer Lindows
CERTIFIED EXPERT

Commented:
After the changes, did you reboot the server?
Kishore M

Author

Commented:
Rebooted the server as well..
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Kishore M

Author

Commented:
Hi, you have given a best solution , but not sure IIS Crypto settings are not making any changes.so still getting B grade only.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
It may be some apps but if after rebooting the machine and the DH 1024 or TLS 1.0/1 still exist from reading from iiscrypto then A may not be achievable. Maybe useful if you can share the finding so that we understand the B is due to what reason based on the online findings it stated
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Pls kind advice any further queries. thanks
Kishore M

Author

Commented:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK  256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK  128

Facing issue with these two above keys.. Can you please help me out.
Exec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
Kishore M

Author

Commented:
Hi All,

Thanks for the support,  below suggestion is helped to resolve the issue.

Disconnect nic cable, reboot, login as local administrator CHECK RSOP and run iiscrypto.
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Thanks for sharing and you may proceed to close the question if there are no further queries
btanExec Consultant
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
As per advice given

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions