I am trying to figure out the cipher suite version used for TLS handshake on a web server.
- Following Enable Schannel event logging in Windows and Windows Server, I set the registry to 0x05 (informational, success and error) and can see the logs in Event Viewer.
- I can also find Event ID 36880: An SSL (client or server) Handshake Completed Successfully events wherein I can see something like this:
A TLS client handshake completed successfully. The negotiated cryptographic parameters are as follows.
Protocol version: TLS 1.2
CipherSuite: 0xC030
Exchange strength: 384 bits
Context handle: 0xABC
Target name: x.x.x.x
Local certificate subject name:
Remote certificate subject name: CN=*.xyz.com
The CipherSuite version (0xC030 in this case) is what I am interested in.
To further test if this is working correctly, I used OpenSSL to perform a TLS handshake with a specific cipher suite.
openssl s_client -connect mywebsite.com:443 -cipher AES128-GCM-SHA256
>
<omitted>
SSL handshake has read 4702 bytes and written 603 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
<omitted>
I can see that the handshake was indeed successful. However, on checking the EventViewer, I still see SCHANNEL events with CipherSuite version 0xC030 instead of the expected 0x009C (using Supported cipher suites to identify the hex value for cipher suites).
Any pointers on why I can't see the correct cipher suite version in EventViewer despite performing handshake with specific cipher suites?
Appreciate your help, thanks!
