Hi,
to determine which CIPHER Suite a TLS connection uses you can enable SCHANNEL logging.
Enable logging and reboot the computer
1 | D:\> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL /v EventLogging /d 7 |
After the reboot each connection is logged in detail to the System EventLog. For example:
1 2 3 4 5 6 7 8 9 | A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows. Protocol version: TLS 1.2 CipherSuite: 0xC028 Exchange strength: 384 bits Context handle: 0x2703f511720 Target name: my.TestServer.org Local certificate subject name: Remote certificate subject name: C=DE, S=Hetzles, O=my Company, CN=*.TestServer.org |
To translate the CipherSuite Hex number into the ciphername use
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | PS D:\> [system.array](Get-TlsCipherSuite) | ?{ $_.CipherSuite -eq 0xC028 }KeyType : 0Certificate : RSAMaximumExchangeLength : 65536MinimumExchangeLength : 0Exchange : ECDHHashLength : 384Hash : SHA384CipherBlockLength : 16CipherLength : 256BaseCipherSuite : 49192CipherSuite : 49192Cipher : AESName : TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384Protocols : {771, 65277} |
To get all allowed CipherSuites use
1 | PS D:\> [system.array](Get-TlsCipherSuite) | Select-Object Name |
The cipher suites can resticted by a Group Policy
1 | Computer Configuration/Administrative Templates/Network/SSL Configuration Settings/SSL Cipher Suite Order |
In the registry the list can be found at:
1 2 | [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]"Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" |
Explaintation of the various cipher suites can be found here.
and here
Michael