Apr 24 2024 01:35 PM - edited Apr 24 2024 01:40 PM
I configured the available cipher suites for an Exchange 2013 server as described here in the best practice document by putting them into the appropriate registry key:
HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
But when looking at a packet capture of an outgoing SMTP session of that server which used STARTTLS, I observed that it was offering a completely different set of ciphers. Is that registry key not being used for STARTTLS by Exchange Server and if so, where do the ciphers for that have to be configured instead?
Apr 24 2024 01:42 PM
Hi @SAMFS
I guess that these depended from what the OS is configured. Have a look here
Kind Regards
Andres
Apr 24 2024 01:45 PM
Apr 24 2024 02:32 PM
Apr 25 2024 01:12 AM - edited Apr 25 2024 01:16 AM
By capturing the traffic to and from the server using Wireshark. The Exchange server contacted another SMTP host and after sending the STARTTLS command it sent the following cipher suites as part of the handshake:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
While the ciphers in the above registry key are as follows:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
Which matches the list from the best practice document.
Apr 26 2024 01:59 AM
Hi @SAMFS
I've captured the Traffic from an openssl STARTTLS Test
openssl s_client -starttls smtp -connect mail.icewolf.ch:25
After STARTTLS and the Server Responding 220
The client sends a List of Cipher Suites it supports
Then the Server picks one
Similar to HTTPS
Kind Regards
Andres
Apr 29 2024 05:32 AM - edited Apr 29 2024 05:33 AM
Hi @Andres Bohren!
Yes, that's what I did, too. The problem is that our Exchange server, after sending the STARTTLS command, does not offer the cipher suites that are listed in the above mentioned registry key, but a different set. And I don't know why it behaves like that.