TLS Cipher Suite Deny List management policy

%3CLINGO-SUB%20id%3D%22lingo-sub-2095633%22%20slang%3D%22en-US%22%3ETLS%20Cipher%20Suite%20Deny%20List%20management%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2095633%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHello%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Ein%20v85%20support%20for%20the%20TLS%20Cipher%20Suite%20Deny%20List%20management%20policy%20was%20added.%26nbsp%3BI%20have%20a%20hard%20time%20to%20use%20the%20TLS%20Cipher%20Suite%20Deny%20List%20management%20policy.%20The%20list%20of%20IANA%20cipher%20suites%20is%20rather%20long%20and%20it%20makes%20sense%20to%20prevent%20usage%20of%20certain%20cipher%20suites%20only%20if%20they%20are%20offered%20by%20default.%20Is%20there%20an%20overview%20about%20the%20supported%20cipher%20suites%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EJoe%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2095867%22%20slang%3D%22en-US%22%3ERe%3A%20TLS%20Cipher%20Suite%20Deny%20List%20management%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2095867%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20really%20don't%20understand%20what%20you%20mean%20by%20thats%2C%20but%20blocking%20cipher%20can%20have%20heavy%20consequence%20on%20your%20internet%20navigation%2C%20so%20(i%20don't%20know%20how%20you%20will%20do%20that)%2C%20but%20if%20you%20are%20aware%20of%20that%2C%20i%20will%20recommand%20to%20block%20only%20cipher%20who%20don't%20support%20%22Perfect%20Forward%20Secrecy%22%2C%20but%20let%20this%20config%20in%20%22test%22%20configuration%20for%20some%20time%20to%20be%20sure%20you%20don't%20break%20something%20by%20accident.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello,

 

in v85 support for the TLS Cipher Suite Deny List management policy was added. I have a hard time to use the TLS Cipher Suite Deny List management policy. The list of IANA cipher suites is rather long and it makes sense to prevent usage of certain cipher suites only if they are offered by default. Is there an overview about the supported cipher suites?

Thanks

Joe

2 Replies

i really don't understand what you mean by thats, but blocking cipher can have heavy consequence on your internet navigation, so (i don't know how you will do that), but if you are aware of that, i will recommand to block only cipher who don't support "Perfect Forward Secrecy", but let this config in "test" configuration for some time to be sure you don't break something by accident.

Thanks for your response. It is not comfortable to block only cipher without PFS. There are 350 different ciphers, 2/3 without PFS. Better would be to know which of the 350 ciphers are supported by MS Edge and filter them for the unwanted ones. I read somewhere else, that Edge comes now with an own crypto library and does no longer relay on SCHANNEL...