TLS / SSL cipher strength change

One of my customers asked me today what is the configuration of their send connectors, because they need to establish new boundary encryption between them and business partner. One of the settings was to check connectors what ciphers does it use.

I havent seen that setting before on Exchange side, so I start googling a bit and after few dead ends I have found this article: http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/5830c533-38eb-4d88-92fe-6e1a02d7bac4

Thanks to JShan99 here it is.

Cipher is the combination of hash and encryption algorithm which can be used and is compatible on all ends of communication channel. Ciphers are used to protect data and communication against unauthorised access, so strength of cipher is the most important. Ciphers can be set via group policy by the following settings. The first cipher in the list should be the strongest one and then the list should fall beck to less stronger ones and so on to lowest, however standard cipher set by default in Windows Server 2008 R2 is not the strongest one.

Default Settings

open: gpedit.msc -> Computer Settings -> Administrative templates -> Network -> SSL Configuration Settings ->SSL Cipher Suite Order and you will see Not Configured and default list of ciphers in order from 1st to last to try.

 before

Change settings

  • Click Enabled radio button and on the left side fill in the correct order of ciphers from strongest or most preferred to use to weak ones or less preferred.

after

  • Apply settings
  • Reboot computer

Settings can be managed via GPO.

Update: Exchange 2013 is not supported on servers running FIPS (algoritnms for hashing and signing supported by US Federated Information Oricessing Standard: http://support.microsoft.com/?kbid=811833)