Windows 10: How to change modify the TLS settings and Cipher suites used for network authentication...

Hello,I need to restrict ciphers used for network authentication EAP-TLS when connecting Windows 10/11 computers to the network.I saw several registry key entries but not sure I am using the correct one and if they are used with EAP-TLSCan you plese confirm:HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsHKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuitesHKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CiphersHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002Any ideas?

:)

 

Windows Server 2016 R2 TLS 1.2 Cipher Suites

Hello - I have a .Net application that accesses an external website to retrieve data. The external website removed TLS 1.1 support and only supports the following TLS 1.2 cipher suites: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 The application works fine when being run from Windows Server 2019 or later (including Win10) but is not able to access the external site when being run on Windows Server 2016 R2 or earlier versions. I understand Server 2008 is end of life but Server 2012 R2 should still be supported, I would think. From what I understand, it appears these specific cipher suites are not available for Server 2012 R2. Will they ever be available, or is there some other way to have my application work with the existing available cipher suites?

Thank You

 

How do I add new cipher suites to Windows 2012 R2 and Windows 2008 R2?

I have a client that has enabled below 3 ciphers in their machine

• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

We were initially hitting the endpoint on the above machine via a 2008 R2 machine. Through Wireshark, I found out that we were having a handshake failure because the 3 they mentioned above didn't match with the 19 suites we send across to them in our 'Client
Hello'. We found that updated windows might support some of the latest ciphers.

So yesterday we tried the same from our windows 2012 R2 machine and even though we send about 24 cipher suites in our 'Client Hello' call as seen in Wireshark, nothing matches the 3 the client has enabled in their machine. I went through the supported ciphers
mentioned in MS Docs for
2008R2 and
2012R2 and I couldn't find the above 3. Doc was last updated in 2018. I also confirmed the same but checking the list provided in 'SSL Configuration settings' in both the servers. The 3 were not in the list in the settings window.

How can I add/enable these 3 ciphers in 2008 R2 and 2012 R2?

 

Cipher suite mismatch error

I have WCF service and a client accessing that service hosted on the same production machine(Windosw Server 2016 build)

) for testing purposes, but when the client pings the server, the call ends with an error:
Could not establish secure channel for SSL/TLS with authority 'ServerName: Port'.

When I checked the event logs, I found the following error

An unknown connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed. (SChannel - 36874)

I tried enabling/disabling SSL, TLS security on the machine, but still not able to solve the issue.

Is there any registry key I need to set to add specific Cipher Suite to solve this issue?

Thanks in advance