0

I have an IIS website running on two servers. One server is Windows Server 2016, the other Windows Server 2012. Under certain circumstances these two servers need to talk to each other.

The cipher used on Windows Server 2012 is: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

The cipher used on Windows Server 2016 is: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

I'd like both servers to use the same cipher. What's the best way to make that happen? Can I install the newer cipher on Server 2012? If so, how is this done? Or do I have to tell Server 2016 to use the older cipher?

Vincent
  • 808
  • 1
  • 9
  • 12
  • 1
    May be helpful: https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12 – Håkan Lindqvist Jun 13 '18 at 19:53
  • My solution was to upgrade the 2012 machine to 2016. Couldn't find any other way to make the ciphers match despite the handy tool that benniz recommended below. – Vincent Sep 13 '18 at 15:31

2 Answers2

1

You can't install cipher-suites on Windows machines, but you can disable them and select the usage order.

Here is a nice little tool that helps you to configure the CipherSuites as you want it.

https://www.nartac.com/Products/IISCrypto

If you don't want to go into that much detail, just hit the "Best Practices" Button

benniz
  • 46
  • 5
  • That looks like a great little tool. Have you used it? – Vincent Jun 14 '18 at 21:37
  • Well, I changed the cipher order both with and without the tool you recommended but both times it didn't seem to work. Firefox is still using the GCM cipher even though I put the CBC cipher at the top of the list. Am I missing something? – Vincent Jun 15 '18 at 01:58
0

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 is nowadays considered a weak cipher suite, I wouldn't recommend using it.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA3841 is not supported on Windows Server 2012 R2 and newer ciphers can be considered a windows ‘feature’ that has been introduced on newer operating systems only https://willjessiam.blog/2021/02/06/tls_ecdhe_rsa_with_aes_256_gcm_sha384-cipher-with-server-2012-r2/

Ace
  • 478
  • 1
  • 6