How do I change Cipher orders (or disable them) in Windows?

book

Article ID: 168354

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

There are cases where the back-end server prefers a cipher suite that is not desirable for some reason, or it is not supported ( for example ECDHE cipher is not supported in reverse proxy deployment as of the writing of this KB, and there are servers that prefers ECDHE cipher if it is offered by the client). this KB goes over the steps on how to change this behavior from the web server side which runs newer versions of MS Windows OS.

Resolution


In the newer versions of Windows ( Windows 7 , 8, 2008, and 2012) there is a GPO to activate or reorder any of the supported cipher suites, here are the steps:
 
1- open GPO snap-in ( start > run > mmc > add snap-in > GPO
2- browse to "Computer Configuration > Administrative Templates > Network > SSL Configuration setting 
User-added image
3- double click "SSL Cipher Suite Order
User-added image

4-Cipher suites are in comma-separated format, and listed by order, reorder or remove as required and then click Apply/OK
5- run gpupdate from command line to refresh GPO's on the server.

Attachments