Half of my users' IE 11.0.9600 browsers suddenly stopped connecting to my older WebLogic (Java) servers. After some digging around, all the users presently unable to connect to these older WL servers have 2 DH ciphers installed:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039,
Where could these ciphers possibly have come from? They're not mentioned in any Microsoft documentation, so far as I can find. I see them mentioned in IBM SSL SDKs and Apple Open Source, but I have people with all our IBM stuff installed that don't have these ciphers and I have installed iTunes on a test PC and it didn't install these ciphers. If Microsoft, IBM, and Apple didn't install these on my impacted users' computers, what might have done so?
The presenting issue is not as important to me as the source. The symptom is that these two ciphers appear higher in the cipher order than the next common cipher (AES128 with RSA), so it's selected in the handshake on these machines. The negotiation fails because the older WL servers are sending a 512 bit DH key, and Microsoft SChannel now requires 1024. New WL servers send 1024, and we can fix that. We can also enter the registry key to cause SChannel to accept the 0x0200 (512 bit) key. So, we can fix this point issue easily enough on either end but the mystery is understanding where these ciphers actually came from.
Thanks for any help. I considered submitting this on SuperUser, but figured server-side was more likely to have seen the issue.
