Sunday, June 27, 2010

PowerShell command to change Windows Cipher Suite Order

While journying down the whole cipher suite road this weekend, I put together a little one liner that reconfigures the cipher suite order that Windows will try and use. As I mentioned in a previous blog, you can configure this via GPO. But, maybe you want to build in the configuration to a golden image. You probably have other PowerShell scripts to configure your golden image, so you can throw this command in to tweak the cipher suite order.

The command only works on Windows Server 2008 R2 and Windows 7. If you use Vista or Server 2008, look at your existing registry key for the list of cipher suites then modify the script. Many of the new cipher suites are not availabile on 2008/Vista.

After you cut and paste the script to your computer remove all line breaks and spaces in the cipher suite string.

---

set-itemproperty -path "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" -name "Functions" -value "TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5, SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD" -type string

--
at

4 comments:

  1. AnonymousMarch 31, 2011 at 9:51 PM

    This is working fine with IE 9, IE 8, Firefox 4, Opera 11, Safari 5, but Chrome 10 just hangs with a constant hourglass trying to browse to the IIS 7.5 website configured with this.

    ReplyDelete
  2. AnonymousApril 3, 2011 at 7:33 PM

    There is white space between some of the ciphers if you copy paste this script. This appears to cause problems with windows interpretation of the available ciphers so when using this script, you must carefully inspect the script for white space before executing it.

    I'm also wondering why TLS_RSA_WITH_RC4_128_SHA was not moved down lower, say right before TLS_RSA_WITH_RC4_128_MD5? By moving this cipher down, the four non-FIPS 140-2 ciphers in your script would all be at the bottom of the list.

    ReplyDelete
  3. NoneApril 3, 2011 at 7:52 PM

    Yes, the line wraps on here can cause issues. So make sure you clean up the line breaks and spaces. Good idea about moving down the other cipher.

    ReplyDelete
  4. AnonymousNovember 27, 2011 at 12:07 PM

    Great post. Apprciate your efforts. Is it possible to change the order of suite on Windows 2003 Server?

    ReplyDelete