Windows: Enable SCHANNEL verbose logging to determine cipher suite

Hi,

to determine which CIPHER Suite a TLS connection uses you can enable SCHANNEL logging.


Enable logging and reboot the computer

D:\> reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL /v EventLogging /d 7

After the reboot each connection is logged in detail to the System EventLog. For example:

A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.

   Protocol version: TLS 1.2
   CipherSuite: 0xC028
   Exchange strength: 384 bits
   Context handle: 0x2703f511720
   Target name: my.TestServer.org
   Local certificate subject name: 
   Remote certificate subject name: C=DE, S=Hetzles, O=my Company, CN=*.TestServer.org

To translate the CipherSuite Hex number into the ciphername use

PS D:\> [system.array](Get-TlsCipherSuite) | ?{ $_.CipherSuite -eq 0xC028 }
KeyType               : 0
Certificate           : RSA
MaximumExchangeLength : 65536
MinimumExchangeLength : 0
Exchange              : ECDH
HashLength            : 384
Hash                  : SHA384
CipherBlockLength     : 16
CipherLength          : 256
BaseCipherSuite       : 49192
CipherSuite           : 49192
Cipher                : AES
Name                  : TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Protocols             : {771, 65277}

To get all allowed CipherSuites use

PS D:\>  [system.array](Get-TlsCipherSuite) | Select-Object Name

The cipher suites can resticted by a Group Policy

Computer Configuration/Administrative Templates/Network/SSL Configuration Settings/SSL Cipher Suite Order

In the registry the list can be found at:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"

Explaintation of the various cipher suites can be found here.

and here

Michael

Leave a Reply Cancel reply