SOLVED

Windows 2012 R2 Cipher does not take effect

Brass Contributor

Hi everyone,

 

I am experiencing problem with powerpoint sharing, other function is ok, so i went to to front-end server and try to access https://serverwac.domain.com/hosting/discovery and found i am not able to browse the page with tls error.

 

gpreult /h show the following cipher suite order

 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, --------------
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, --------------
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA, ----------------
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,-----------
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,-----------------
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,---------------
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,--------------------
TLS_RSA_WITH_NULL_SHA256,
TLS_RSA_WITH_NULL_SHA,
TLS_PSK_WITH_AES_256_GCM_SHA384,
TLS_PSK_WITH_AES_128_GCM_SHA256,
TLS_PSK_WITH_AES_256_CBC_SHA384,
TLS_PSK_WITH_AES_128_CBC_SHA256,
TLS_PSK_WITH_NULL_SHA384,
TLS_PSK_WITH_NULL_SHA256

 

Using wireshark, the hello shows

version: TLS 1.2 (0X0303)

Cipher Suites Length: 14

Cipher Suites (7 suites)

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA

 

The cipher order in the packet does not list everything in the group policy. I have tried to unlink the cipher hardening in group policy and it was advertising more cipher (windows default cipher) and i was able to browse the office web app link.

 

the sfb server is running sfb 2015 cu7 and windows 2012 R2. the following update was applied

https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-8-1 although some update was saying not applicable for the machine when i tried to install again. I was able to see the cipher suite listed in the microsoft link (https://docs.microsoft.com/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-8-1) using wireshark after removing the cipher hardening policy.

 

does anyone knows why the cipher suite in the group policy does not take effect? or what might have conflicting it? I have to get the hardened cipher suite to work with the load balanced office web app link. Thanks!

 

Edit:

I have further tried to create a new policy as in following table "Match". The idea is to get hardened cipher suites and apply it only to Windows 2012 R2.

 

The table "Wireshark" refers to cipher suites gather from the machine without any group policy/or cipher order with Wireshark "Hello".

 

The table "Manual cipher order" refers to the cipher order from the group policy.

 

The table "Match" derives from "Wireshark" matches "Manual cipher order"

 

WiresharkManual cipher orderMatch
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384#N/A
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256#N/A
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_NULL_SHA256#N/A
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_NULL_SHA#N/A
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_PSK_WITH_AES_256_GCM_SHA384#N/A
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_PSK_WITH_AES_128_GCM_SHA256#N/A
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_PSK_WITH_AES_256_CBC_SHA384#N/A
TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_PSK_WITH_AES_128_CBC_SHA256#N/A
TLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_PSK_WITH_NULL_SHA384#N/A
TLS_RSA_WITH_3DES_EDE_CBC_SHATLS_PSK_WITH_NULL_SHA256#N/A
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA #N/A

 

However with the newly created group policy from the above table "Match", wireshark shows only 3 cipher suites and the gpresult /h shows the "match" values has applied.

1 Reply
best response confirmed by Thai_Lam (Brass Contributor)
Solution

What an exciting one, have finally figured the text of the cipher suites does not tally between windows 2016 and 2012 R2.

 

So i went in to the local group policy, navigate to "Local Computer Policy" > "Computer Configuration" > "Administrative Template" > "Network" > "SSL Configuration" take the value in the help and apply it in the group policy (group policy does not has one).

 

So the difference looks like following

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (wrong in 2012R2)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 (provided in local policy help)

1 best response

Accepted Solutions
best response confirmed by Thai_Lam (Brass Contributor)
Solution

What an exciting one, have finally figured the text of the cipher suites does not tally between windows 2016 and 2012 R2.

 

So i went in to the local group policy, navigate to "Local Computer Policy" > "Computer Configuration" > "Administrative Template" > "Network" > "SSL Configuration" take the value in the help and apply it in the group policy (group policy does not has one).

 

So the difference looks like following

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (wrong in 2012R2)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 (provided in local policy help)

View solution in original post