While journying down the whole cipher suite road this weekend, I put together a little one liner that reconfigures the cipher suite order that Windows will try and use. As I mentioned in a previous blog, you can configure this via GPO. But, maybe you want to build in the configuration to a golden image. You probably have other PowerShell scripts to configure your golden image, so you can throw this command in to tweak the cipher suite order.
The command only works on Windows Server 2008 R2 and Windows 7. If you use Vista or Server 2008, look at your existing registry key for the list of cipher suites then modify the script. Many of the new cipher suites are not availabile on 2008/Vista.
After you cut and paste the script to your computer remove all line breaks and spaces in the cipher suite string. This is important, as we are at the 1024 character limit of a PowerShell string.
—
set-itemproperty -path “HKLM:SOFTWAREPoliciesMicrosoftCryptographyConfigurationSSL0010002” -name “Functions” -value “TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5, SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5” -type string
—
Please note: The sting is limited to 1023 characters.
The example above is one character too long once you get the <space> characters out of the string. Note the end of the sequence is "MD", not MD5".
Dude, you solved a massive problem for me with my Azure VM. Thank you!
I got stuck with my Azure VM unreachable with RDP / SSH after cipher suites change and server restart. I used your command with these changes : – Add antislash in the path. – Use of 00010002 instead of 0010002 in the path. My VM is a Windows server 2008 R2 Datacenter. So, how to update cipher suites if VM is unreachable ? Here follow the steps : – Go to Azure portal – Select your VM and start it if stopped. – Go to Execute command – Click on RunPowerShellScript – Paste the Set-ItemProperty command and click on Execute.… Read more »