Hi,
to determine which CIPHER Suite a TLS connection uses you can enable SCHANNEL logging.
Enable logging and reboot the computer
D:\> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL /v EventLogging /d 7
After the reboot each connection is logged in detail to the System EventLog. For example:
A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows. Protocol version: TLS 1.2 CipherSuite: 0xC028 Exchange strength: 384 bits Context handle: 0x2703f511720 Target name: my.TestServer.org Local certificate subject name: Remote certificate subject name: C=DE, S=Hetzles, O=my Company, CN=*.TestServer.org
To translate the CipherSuite Hex number into the ciphername use
PS D:\> [system.array](Get-TlsCipherSuite) | ?{ $_.CipherSuite -eq 0xC028 }
KeyType : 0
Certificate : RSA
MaximumExchangeLength : 65536
MinimumExchangeLength : 0
Exchange : ECDH
HashLength : 384
Hash : SHA384
CipherBlockLength : 16
CipherLength : 256
BaseCipherSuite : 49192
CipherSuite : 49192
Cipher : AES
Name : TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Protocols : {771, 65277}
To get all allowed CipherSuites use
PS D:\> [system.array](Get-TlsCipherSuite) | Select-Object Name
The cipher suites can resticted by a Group Policy
Computer Configuration/Administrative Templates/Network/SSL Configuration Settings/SSL Cipher Suite Order
In the registry the list can be found at:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002] "Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
Explaintation of the various cipher suites can be found here.
and here
Michael
Advertisment to support michlstechblog.info