How to install a cipher suite on Windows Server 2012

Question

I have two EDI servers, A and B. Trading Partners connect using TLS.

One trading partner is cannot connect to server B, but can connect to server A.

The issue apparently is that the cipher suites on A are different than what is on B. The reason for this is that B has had Windows Updates applied, but not A.

So I would like to put all the cipher suites back on B that were there originally before the updates so that they are the same. This should allow the partner to connect successfully.

I have used SSLLabs to run a report on the cipher suites, and this is the list that is on A, but not B:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) TLS_RSA_WITH_AES_128_GCM_SHA256    (0x9c) 
TLS_RSA_WITH_RC4_128_MD5 (0x4)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)

How do I enable/install these cipher suites?

Answer 1

This C function enumerates the Cipher Suites:

#include <windows.h>
#include <stdio.h>
#include <Bcrypt.h>

#ifndef NT_SUCCESS
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#endif

int main()
{
    NTSTATUS status;
    ULONG uSize = 0;
    PCRYPT_CONTEXTS pContexts = NULL;

    // Get the contexts for the local machine. 
    // CNG will allocate the memory for us.
    status = BCryptEnumContexts(CRYPT_LOCAL, &uSize, &pContexts);
    if (NT_SUCCESS(status))
    {
        // Enumerate the context identifiers.
        for (ULONG uContextIndex = 0;
            uContextIndex < pContexts->cContexts;
            uContextIndex++)
        {
            wprintf(L"\nContext [ %s ]:\n",
                pContexts->rgpszContexts[uContextIndex]);

            // Get the functions for this context.
            // CNG will allocate the memory for us.
            PCRYPT_CONTEXT_FUNCTIONS pContextFunctions = NULL;
            status = BCryptEnumContextFunctions(
                CRYPT_LOCAL,
                pContexts->rgpszContexts[uContextIndex],
                NCRYPT_SCHANNEL_INTERFACE,
                &uSize,
                &pContextFunctions);
            if (NT_SUCCESS(status))
            {
                // Enumerate the functions.
                for (ULONG i = 0;
                    i < pContextFunctions->cFunctions;
                    i++)
                {
                    wprintf(L"\t%s\n",
                        pContextFunctions->rgpszFunctions[i]);
                }

                // Free the context functions buffer.
                BCryptFreeBuffer(pContextFunctions);
            }
        }

        // Free the contexts buffer.
        BCryptFreeBuffer(pContexts);
    }

    return status;
}

Answer 2

So, chiming in a bit late... Ok... REALLY LATE... but I had the same question and found some extra information to help expand on this post a bit.

As was already stated... Apparently no, you can't "add/install" extra suites. But... you can change which ones are active and in which order they are preferred. So, what was already stated above were links on how to change just the order of what's already active... that's cool... but, that's only a portion of the answer for which I believe you seek. The other half of the question is "what is available to choose from?" and to that I would like to share this link...

https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

On that page you should find a list of links for the more "recent Windows operating systems" (if you want to call Windows XP "recent") and each subsequent link will show you 1) what cipher suites are enabled by default, 2) what cipher suites are available, but are disabled by default, and 3) what Pre-Shared Key suites are available upon request. Between those three lists you can pick and choose which cipher suites you want to load and in what order.

Now... the sticky part... the part I haven't been able to figure out... Apparently the full list of cipher suites available to an OS can be updated via various Windows Updates that Microsoft sees fit to pass down to us. It's unclear to me where to find out what the complete list of available suites are after having been fully patched/updated. I could be wrong on this, but places I've poked at seem to hint at such a thing. Anyway... I wish there was some command line/PowerShell way to see the full list of available suites to pick from. As best I've been able to find is "Get-TlsCipherSuite"... which appears to only show you what is currently in the list of enabled suites... not the full list of available suites to choose from. If someone knows the magic words to type to obtain the FULL list... That's what I'm interested in. ;)

Anyway... late to the party... but hopefully that nugget helps out someone else on the same quest. :)

Answer 3

This blog post covers how to do add/remove cipher suites.

In a nutshell, there is a local computer policy setting called "SSL Configuration Settings" that determines the order of the suites used, as well as which are used.

There is also a free GUI tool that lets you add/remove cipher suites.