Skip to main content

Blocking the Use of Weak Ciphers and Enabling TLS 1.2 in the Server Configuration

Notice

TLS 1.1 is being phased out for all major browsers such as Chrome, Firefox, Safari and Edge.

TLS (Transport Layer Security) and its now-deprecated predecessor, SSL (Secure Sockets Layer) are cryptographic protocols designed to provide communications security over a computer network. Websites can use TLS to secure all communications between their servers and the web browsers. The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.

Sensitive data such as user credentials and credit card information must be protected when it is transmitted over the network and the ciphers in use during secure communications via SSL and TLS 1.1 are too weak. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission. Even if high grade ciphers are supported and used today, some misconfiguration in the server may force users of a weak cipher or no encryption at all to grant access to the supposedly secure communication channel.

Implications

Attackers may decrypt traffic transmitted over SSL between server and guests. The CBC mode is vulnerable to plain-text attacks after encryption with with TLS 1.0, SSL 3.0 or lower. This vulnerability has been addressed by introducing TLS 1.2 along with the GCM mode that is not vulnerable against BEAST attacks.

It is therefore recommended to prevent your web servers from using weak ciphers and only allowing strong ciphers on the web servers to protect the secure communication with guests. This means disabling TLS 1.1 and upgrading to TLS 1.2 or higher. You have to restart the web server when done for the changes to take effect.

Enabling TLS 1.2

Upgrading to TLS 1.2 requires making changes to the registry. Before you start making these changes, follow the link to the Microsoft resource below and carefully read the instructions and explanations there.

Notice

TLS 1.2 requires SQL Server 11.0.5388.0 or higher. Older versions do not support TLS 1.2.

Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

DWORD name: DisabledByDefault

DWORD value: 0

Source : https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2

The following (weak) ciphers are disabled with the upgrade to TLS 1.2:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_NULL_SHA256

TLS_RSA_WITH_NULL_SHA

TLS_PSK_WITH_AES_256_GCM_SHA384

TLS_PSK_WITH_AES_128_GCM_SHA256

TLS_PSK_WITH_AES_256_CBC_SHA384

TLS_PSK_WITH_AES_128_CBC_SHA256

TLS_PSK_WITH_NULL_SHA384

TLS_PSK_WITH_NULL_SHA256