Disabling TripleDES ciphers on Windows Server 2003 breaks SSL connectivity

As companies start to re-mediate vulnerabilities they start to disable certain ciphers. One thing to be aware of is that Windows 2003 does not support AES 128 or 256 ciphers by default. When you disable TripleDES ciphers on Windwos 2003 it will not be able to fall back on AES ciphers as the functionality is not present.

For Windows 2003 to be able to use AES 128/256 ciphers you need to install a hotfix KB948963

https://support.microsoft.com/en-ca/help/948963/an-update-is-available-to-add-support-for-the-tls-rsa-with-aes-128-cbc

You can check if the AES hotfix is currently installed on your system by running: wmic qfe | findstr “KB948963”

When you open IIS crypto you can see the AES ciphers are checked, it doesn’t mean that there is back end functionality to support those ciphers, check if you have the Hotfix KB948963 installed on the system.

This entry was posted in Microsoft and tagged , . Bookmark the permalink.

One Response to Disabling TripleDES ciphers on Windows Server 2003 breaks SSL connectivity

  1. Paja says:

    IIS Crypto is not supported on Windows 2003 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *