TLS Cipher Suite Deny List management policy




in v85 support for the TLS Cipher Suite Deny List management policy was added. I have a hard time to use the TLS Cipher Suite Deny List management policy. The list of IANA cipher suites is rather long and it makes sense to prevent usage of certain cipher suites only if they are offered by default. Is there an overview about the supported cipher suites?



3 Replies

i really don't understand what you mean by thats, but blocking cipher can have heavy consequence on your internet navigation, so (i don't know how you will do that), but if you are aware of that, i will recommand to block only cipher who don't support "Perfect Forward Secrecy", but let this config in "test" configuration for some time to be sure you don't break something by accident.

Thanks for your response.

For example, if i like to block all cipher suites not offering PFS, it would be a mess to configure. There are 350 different ciphers registered at IANA, two third of them without PFS.

Would be good to know which of the 350 ciphers are supported by MS Edge and filter them for the unwanted ones.

I read somewhere else, that Edge comes now with an own crypto library and does no longer relay on SCHANNEL. Therefore, schannel restrictions do no longer apply for MS Edge, but do for IE.

best response confirmed by Johannes Goerlich (Contributor)