Enabling AES 256 GCM on Windows Server 2012 R2

Posted by Feanaro on Server Fault See other posts from Server Fault or by Feanaro
Published on 2014-08-20T09:58:45Z Indexed on 2014/08/20 10:22 UTC
Read the original article Hit count: 373

I'd like to enable the use of the AES 256 GCM encryption instead of the AES 256 CBC. We already have ECC certificates based on ECDSA so that pre-requisite has been fullfilled. The certificate has a SHA-256 signature and uses a 256-bit ECC keyset.

The ciphersuite I'd like to use:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

This is our ciphersuite order:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

Still when I check the website it says we use TLS 1.2 and ECDHE_ECDSA for key exchange AES_256_CBC encryption and SHA1 for message digest.

I suspect it uses this suite for some reason:

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

When I remove that ciphersuite the site has a protocol mismatch and won't load the https anymore. Does anyone know how to enable the ciphersuite? Did I forget to set something in the registry or do I need to do something else to enable that specific suite. Thanks in advance!

© Server Fault or respective owner

Related posts about https

Related posts about windows-server-2012-r2