5

I'm experiencing issues receiving TLS encrypted e-mail from a specific domain. We entered into an agreement to use a 256-bit cipher and apparently our Exchange 2007 server on Windows Server 2003 isn't offering that up as an option, thus everything is getting rejected for only offering 128-bit encryption.

Rather than have them change things on their end, I'd like to resolve it on ours. I found a hotfix that allows me to add 256-bit AES ciphers to the list of available ciphers. I installed the hotfix, but it did not resolve my issue.

After reading this article, I'm suspecting that our Exchange 2007 server's cipher order is offering up 128-bit encryption first, and then the remote server is RSET'ing the connection when we do so. I'd like to verify that our server is offering up the 256-bit encryption option first.

The Computer Configuration | Administrative Templates | Network | SSL Configuration Settings | SSL Cipher Suite Order key doesn't exist on my Windows Server 2003 Exchange box, so I can't modify it.

Does ANYONE have any clue about how to go about resolving this issue?

pk.
  • 6,451
  • 2
  • 42
  • 63

2 Answers2

4

Apparently it is not possible to reorder the SSL Cipher Suite. My Windows Server 2003 Exchange 2007 server will always and forever offer AES-128 before AES-256 unless I disable the use of AES-128 by modifying the following registry key.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128 : DWORD Enabled=0x0

With Windows Server 2008, you can just change the SSL Cipher Suite Order.

pk.
  • 6,451
  • 2
  • 42
  • 63
2

I know this is an old post, but maybe it will help someone else. Here is how to change the cipher order for 2008. I had this same problem that took me months to work out between Microsoft and the other side that required AES 256. The other side could not even tell me how to accomplish this. i had to get forwarded around microsoft for weeks 19 times before I got this:

On your Exchange bridgehead: gpedit.msc > Local Computer Policy > Computer Configuration > Administrative templates > Network > SSL Configuration Settings > SSL Cipher Suite Order > Enabled

Cut out what is in the "SSL Ciper Suites" field (paste to notepad for safe keeping) and copy the following into the "SSL Cipher Suites" field (dont worry, it will all fit)

TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WITH_NULL_MD5,TLS_RSA_WITH_NULL_SHA

Might have to restart some services or reboot the server. Hope it works out.

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
jshan
  • 21
  • 1
  • Looking at this list I would actually prioritise ECDHE (elliptic curve) ciphers - move them to the top. And remove the NULL ones (like TLS_RSA_WITH_NULL). – DmitryK Jul 24 '15 at 14:27