My activities Submit a request

Search

Venafi Customer Support

>
Customer Knowledge Base
>
Security

Validate Cipher Suites Offered To Servers From Windows

RELATED ARTICLES
INTRODUCTION TO TLS AND CIPHER SUITES
A cipher suite is a set of algorithms that computers agree to use to protect data passing between them. It is akin to a Error: Uninstall an MSI a
fails asking for path of o
spoken language between humans. With humans we have an idea, and that idea is transformed from its raw thought into
SSL Handshake Troubles
words and is is passed passed back and forth to other humans using verbal and written encoding in the form of talking
Scanafi 2.2.2 is live!
and writing letters. Both humans involved in the conversation have to understand the same language. It is the same with Info: What's new in Vena
Protection Platform 19.2
computers. With computers, the raw data can undergo several such transformations such as binary encoding, encryption,
Info: How do I check my
message validation checks and authentication. These sets of transformations we will call algorithms. Each of those named
Communication?
categories have several competing algorithms. Because there are more than one algorithm, the computers have to choose

which algorithm from each category to use.  

Algorithms supported in TLS 1.0–1.2 cipher suites

Key exchange/agreement    Authentication   Block/stream ciphers Message authentication

RSA RSA RC4 Hash-based MD5

Diffie–Hellman DSA Triple DES SHA hash function

ECDH ECDSA AES  

SRP   IDEA  

PSK   DES  

    Camellia  

    ChaCha20  

To understand more, go to Cipher Suite on Wikipedia

If the connected computers don't both support a full set of the same algorithms then they cannot have a meaningful

exchange. In this case, the computers will disconnect and show the user a message like "TLS session failed". The different

algorithms are called ciphers in the security world. A set of these ciphers used in tandem to create a secure connection is

called a "Cipher Suite".

TLS is the protocol used to help computers decide which cipher suite to use. It defines how to authenticate the computers

to each other, and how they will let each other know which cipher suites they support. Simply put, it is the "S" in HTTPS.

TLS is the protocol used to secure the internet and most other secure softwares.

The TLS Handshake 

The client offers the cipher suites it supports to the server and the server picks one. If there is a compatible cipher suite

offered by the client, the server will continue the conversation using the chosen suite. However, if there is no overlap

between the suites the client offers, and the ones the server is willing to use, the server will terminate the conversation

with the client. This exchange is called the TLS handshake. 

Lets learn how to troubleshoot the handshake.

TROUBLESHOOTING THE CIPHER SUITE IN TLS

Tools

We are going to use a browser to do the easy investigation. We will use Powershell 5.1 or greater to get a list of supported

Cipher Suites in .NET. Then we are going to dig deeper into the conversation between the computers using Wireshark

which includes NpCap.

Download Powershell

Download Wireshark 

Using Chrome to See the Negotiated Cipher Suite

If you go to a secure website or service using Chrome you can see which cipher suite was negotiated. Any HTTPS site will

give you this information.

information. 

1.  Go to https://www.venafi.com/

2. Press F12 on your keyboard to open the Developer Tools in Chrome

3. At the top of the developer tools window, you will see a tab called security. Click it.

it.

4. You should see something like the image below 

You can see above that in the secure connection settings section that 

The security protocol used is TLS1.2

The Key Exchange and Authentication is ECDHE_RSA with X25519

The last part is the encryption algorithm, AES 128 bit with GCM

It is important to note that if you can often connect to services with Chrome when other applications fail. This is because

Chrome implements its own version of the Cipher suites, so it is not dependent on what the OS is capable of. You can use
this to validate that the server is functioning and that it can in fact create a TLS1.2 session using strong ciphers.

Windows and .NET Do Not Support all Cipher Suites

By default, Windows and .NET have less secure cipher suites disabled. This means that they are not offered to servers as an

option. Earlier versions of Windows Server do not support some of the more modern cipher suites. For a complete list of

what suites are available to a version of Windows check out 

https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

That web page also shows you how to format the cipher suites configured in Windows. It is important to note from that

article which cipher suites are available by default in each version of Windows. If the suite you are looking for is enabled by

default, you shouldn't need to change registry settings in order to explicitly enable it.

Discover Which Cipher Suites Are Enabled

PowerShell

PS C:\> Get-TlsCipherSuite | Format-Table -Property CipherSuite, Name

CipherSuite Name

----------- ----

4866 TLS_AES_256_GCM_SHA384

4865 TLS_AES_128_GCM_SHA256

0 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

49195 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

49200 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

49199 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

159 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

158 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

49187 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

49192 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

49191 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

49162 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

49161 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

49172 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

49171 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

157 TLS_RSA_WITH_AES_256_GCM_SHA384

156 TLS_RSA_WITH_AES_128_GCM_SHA256

61 TLS_RSA_WITH_AES_256_CBC_SHA256

60 TLS_RSA_WITH_AES_128_CBC_SHA256

53 TLS_RSA_WITH_AES_256_CBC_SHA

47 TLS_RSA_WITH_AES_128_CBC_SHA

10 TLS_RSA_WITH_3DES_EDE_CBC_SHA

59 TLS_RSA_WITH_NULL_SHA256

2 TLS_RSA_WITH_NULL_SHA

0 TLS_PSK_WITH_AES_256_GCM_SHA384

168 TLS_PSK_WITH_AES_128_GCM_SHA256

175 TLS_PSK_WITH_AES_256_CBC_SHA384

174 TLS_PSK_WITH_AES_128_CBC_SHA256

 177 TLS_PSK_WITH_NULL_SHA384

176 TLS_PSK_WITH_NULL_SHA256

PowerShell will show you which cipher suites are available to .NET. This list shows the CipherSuite number (universal) and

the name that Windows machines use to describe the suite. Linux machines will use a different format on the name,

although it will be similar, however the suite number will be the same.

Wireshark Gives You the Whole Conversation

Wireshark is an awesome tool for digging deep into what the network is actually sending. It can listen to anything sent over

the network card and log every packet so you can see the whole conversation. Go to their docs page to learn how to use

Wireshark to its fullest. However, for this exercise, we will do a simple capture of the browser's conversation with the

Venafi.com web server.

1. Open wireshark

2. Click on the Configure Capture button at the top 

3. Select the interface that will be used for internet traffic 

4. Add a filter to the capture filter text box

port 443 && host 23.185.0.2

5. Click Start

6. Open a new private browser and go to https://venafi.com

7. Stop the capture

You should have seen a bunch of packets get captured. The ones we are interested in will be at the beginning of the

capture. Find the one that says Client Hello in the info field.

If you expand all the nodes after the Transport Layer Security node, you can see all the cipher suites that were offered to

the server.

Now look at the Server Hello packet. In this screen capture it was two packets down. This shows which of the offered

cipher suites was chosen.

An astute person would have noticed that the ciphers offered in the Client Hello above were not the same cipher suites that

PowerShell said we have available. That is because Chrome uses their own list of usable ciphers, and .NET honors the OS

settings for which ciphers are ok.

Lets do the same exercise in PowerShell to show the differences.

1. First open a PowerShell window. 

2. Reset the capture in Wireshark using the blue fin icon.

3. Run the following command in PowerShell

Invoke-WebRequest -Uri https://venafi.com

4. Stop the capture.

Now if you look at the Client Hello in this capture, you will see that instead of 16 entries offered, 21 were offered

  
 In the end, however, the server still picked the same cipher suite.

When The Server Says NO

When the server doesn't find a cipher suite in the Client Hello that it likes, it will send a session termination packet instead

of a Server Hello. When this happens, double check with the server's administrator to see if any of the offered cipher suites

should have been acceptable. If they are not, then you will have to add them to the Windows registry manually activating

those ciphers.

A good place to learn how to do that is here

https://support.microsoft.com/en-us/help/4032720/how-to-deploy-custom-cipher-suite-ordering-in-windows-server-2016

Keep in mind that some cipher suites are not available on older Windows Servers, so even if they are enabled in the

registry, they will not be offered to the server in the Client Hello. 

Was this article helpful? 👍

👎 2 out of 2 found this helpful

Comments