Forum Discussion
Thai_Lam
Jun 21, 2019Brass Contributor
Windows 2012 R2 Cipher does not take effect
Hi everyone,
I am experiencing problem with powerpoint sharing, other function is ok, so i went to to front-end server and try to access https://serverwac.domain.com/hosting/discovery and found i am not able to browse the page with tls error.
gpreult /h show the following cipher suite order
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, --------------
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, --------------
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, ----------------
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,-----------
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,-----------------
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,---------------
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,--------------------
TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_NULL_SHA,
TLS_PSK_WITH_AES_256_GCM_SHA384,
TLS_PSK_WITH_AES_128_GCM_SHA256,
TLS_PSK_WITH_AES_256_CBC_SHA384,
TLS_PSK_WITH_AES_128_CBC_SHA256,
TLS_PSK_WITH_NULL_SHA384,
TLS_PSK_WITH_NULL_SHA256
Using wireshark, the hello shows
version: TLS 1.2 (0X0303)
Cipher Suites Length: 14
Cipher Suites (7 suites)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
The cipher order in the packet does not list everything in the group policy. I have tried to unlink the cipher hardening in group policy and it was advertising more cipher (windows default cipher) and i was able to browse the office web app link.
the sfb server is running sfb 2015 cu7 and windows 2012 R2. the following update was applied
https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-8-1 although some update was saying not applicable for the machine when i tried to install again. I was able to see the cipher suite listed in the microsoft link (https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-8-1) using wireshark after removing the cipher hardening policy.
does anyone knows why the cipher suite in the group policy does not take effect? or what might have conflicting it? I have to get the hardened cipher suite to work with the load balanced office web app link. Thanks!
Edit:
I have further tried to create a new policy as in following table "Match". The idea is to get hardened cipher suites and apply it only to Windows 2012 R2.
The table "Wireshark" refers to cipher suites gather from the machine without any group policy/or cipher order with Wireshark "Hello".
The table "Manual cipher order" refers to the cipher order from the group policy.
The table "Match" derives from "Wireshark" matches "Manual cipher order"
Wireshark | Manual cipher order | Match |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | #N/A |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | #N/A |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
TLS_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
TLS_RSA_WITH_AES_256_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
TLS_RSA_WITH_AES_128_CBC_SHA256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA |
TLS_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | TLS_DHE_DSS_WITH_AES_256_CBC_SHA | TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | TLS_DHE_DSS_WITH_AES_128_CBC_SHA | TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | TLS_RSA_WITH_NULL_SHA256 | #N/A |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_NULL_SHA | #N/A |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | TLS_PSK_WITH_AES_256_GCM_SHA384 | #N/A |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | TLS_PSK_WITH_AES_128_GCM_SHA256 | #N/A |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | TLS_PSK_WITH_AES_256_CBC_SHA384 | #N/A |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | TLS_PSK_WITH_AES_128_CBC_SHA256 | #N/A |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | TLS_PSK_WITH_NULL_SHA384 | #N/A |
TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_PSK_WITH_NULL_SHA256 | #N/A |
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | #N/A |
However with the newly created group policy from the above table "Match", wireshark shows only 3 cipher suites and the gpresult /h shows the "match" values has applied.
What an exciting one, have finally figured the text of the cipher suites does not tally between windows 2016 and 2012 R2.
So i went in to the local group policy, navigate to "Local Computer Policy" > "Computer Configuration" > "Administrative Template" > "Network" > "SSL Configuration" take the value in the help and apply it in the group policy (group policy does not has one).
So the difference looks like following
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (wrong in 2012R2)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 (provided in local policy help)
- Thai_LamBrass Contributor
What an exciting one, have finally figured the text of the cipher suites does not tally between windows 2016 and 2012 R2.
So i went in to the local group policy, navigate to "Local Computer Policy" > "Computer Configuration" > "Administrative Template" > "Network" > "SSL Configuration" take the value in the help and apply it in the group policy (group policy does not has one).
So the difference looks like following
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (wrong in 2012R2)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 (provided in local policy help)