TLS / SSL cipher strength change


One of my customers asked me today what is the configuration of their send connectors, because they need to establish new boundary encryption between them and business partner. One of the settings was to check connectors what ciphers does it use.

I havent seen that setting before on Exchange side, so I start googling a bit and after few dead ends I have found this article: http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/5830c533-38eb-4d88-92fe-6e1a02d7bac4

Thanks to JShan99 here it is.

Cipher is the combination of hash and encryption algorithm which can be used and is compatible on all ends of communication channel. Ciphers are used to protect data and communication against unauthorised access, so strength of cipher is the most important. Ciphers can be set via group policy by the following settings. The first cipher in the list should be the strongest one and then the list should fall beck to less stronger ones and so on to lowest, however standard cipher set by default in Windows Server 2008 R2 is not the strongest one.

Default Settings

open: gpedit.msc -> Computer Settings -> Administrative templates -> Network -> SSL Configuration Settings ->SSL Cipher Suite Order and you will see Not Configured and default list of ciphers in order from 1st to last to try.

 before

Change settings

  • Click Enabled radio button and on the left side fill in the correct order of ciphers from strongest or most preferred to use to weak ones or less preferred.

after

  • Apply settings
  • Reboot computer

Settings can be managed via GPO.

Update: Exchange 2013 is not supported on servers running FIPS (algoritnms for hashing and signing supported by US Federated Information Oricessing Standard: http://support.microsoft.com/?kbid=811833)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s