We have TMG 2010 and publish a Website with SSL. The Certificate supports 128bit up to 256 bit encryption. How can we force to use 256bit only?
Mark
Technology Tips and News
We have TMG 2010 and publish a Website with SSL. The Certificate supports 128bit up to 256 bit encryption. How can we force to use 256bit only?
Mark
Hi,
Thank you for the post.
In order to get IIS7 to do 256 bit encryption, we have to ensure the cipher suit that is listed first is the following: TLS_RSA_WITH_AES_256_CBC_SHA
In order to change the Cipher Suite order we can do the following:
- Run gpedit.msc from the command line
- within the Group Policy Object Editor, expand Computer Configuration, Administrative Templates, Network.
- Under Network, select SSL Configuration and then double click on SSL Cipher Suite Order
- By Default the SSL Cipher Suite Order is set to "Not Configured"
- To enable 256-bit encryption, select the "enabled" radio button
- Within the SSL Cipher Suites text box, remove TLS_RSA_WITH_AES_128_CBC_SHA or at least place it behind TLS_RSA_WITH_AES_256_CBC_SHA.
TLS_RSA_WITH_AES_256_CBC_SHA has to be the first cpiher suite listed in order for us to connect with 256-bith encryption.
Once the steps above have been completed, restart the server for the changes to take effect. Now we can browse a page served on the IIS7 server and confirm it is using 256 bit encryption. To do this, right click on the page, select properties and you should see the following:
TLS 1.0, AES with 256 bit encryption (High); RSA with 1024 bit exchange
Regards,
Hi!
I am also having the same issue. I have already done as suggested in this thread.
I have installed godaddy.com Wildcard SSL certificate in a Server which is in a datacenter. The Server is Windows 2008 R2 with Service Pack 1 and running IIS7.5
I am trying to make it 256 bit SSL. I have applied all suggestions given in the following guide
http://derek858.blogspot.in/2010/06/enable-tls-12-aes-256-and-sha-256-in.html
But it's still showing 128 bit SSL in my sites
https://admin.chatware.com &
https://service11.chatware.com
Please help!
Asim Chandra
It would appear that following this change on windows server 2012, that remote desktop fails to self sign its' certs and you can no longer RDP into a machine.