Jan 25 2021 01:43 PM
Hello,
in v85 support for the TLS Cipher Suite Deny List management policy was added. I have a hard time to use the TLS Cipher Suite Deny List management policy. The list of IANA cipher suites is rather long and it makes sense to prevent usage of certain cipher suites only if they are offered by default. Is there an overview about the supported cipher suites?
Thanks
Joe
Jan 25 2021 02:36 PM - edited Jan 25 2021 02:37 PM
i really don't understand what you mean by thats, but blocking cipher can have heavy consequence on your internet navigation, so (i don't know how you will do that), but if you are aware of that, i will recommand to block only cipher who don't support "Perfect Forward Secrecy", but let this config in "test" configuration for some time to be sure you don't break something by accident.
Jan 26 2021 01:55 AM - edited Nov 03 2021 05:53 AM
Thanks for your response.
For example, if i like to block all cipher suites not offering PFS, it would be a mess to configure. There are 350 different ciphers registered at IANA, two third of them without PFS.
Would be good to know which of the 350 ciphers are supported by MS Edge and filter them for the unwanted ones.
I read somewhere else, that Edge comes now with an own crypto library and does no longer relay on SCHANNEL. Therefore, schannel restrictions do no longer apply for MS Edge, but do for IE.
Nov 03 2021 06:00 AM - edited Nov 05 2021 01:55 AM
SolutionEric posted the solution over there https://github.com/MicrosoftDocs/Edge-Enterprise/issues/254
Nov 03 2021 06:00 AM - edited Nov 05 2021 01:55 AM
SolutionEric posted the solution over there https://github.com/MicrosoftDocs/Edge-Enterprise/issues/254