Enabling AES 256 GCM on Windows Server 2012 R2
Posted
by
Feanaro
on Server Fault
See other posts from Server Fault
or by Feanaro
Published on 2014-08-20T09:58:45Z
Indexed on
2014/08/20
10:22 UTC
Read the original article
Hit count: 373
I'd like to enable the use of the AES 256 GCM encryption instead of the AES 256 CBC. We already have ECC certificates based on ECDSA so that pre-requisite has been fullfilled. The certificate has a SHA-256 signature and uses a 256-bit ECC keyset.
The ciphersuite I'd like to use:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
This is our ciphersuite order:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
Still when I check the website it says we use TLS 1.2 and ECDHE_ECDSA for key exchange AES_256_CBC encryption and SHA1 for message digest.
I suspect it uses this suite for some reason:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
When I remove that ciphersuite the site has a protocol mismatch and won't load the https anymore. Does anyone know how to enable the ciphersuite? Did I forget to set something in the registry or do I need to do something else to enable that specific suite. Thanks in advance!
© Server Fault or respective owner