question

RustyShort-9392 avatar image
1 Vote"
RustyShort-9392 asked MrDoug-8824 commented

Windows Server 2012 R2 TLS 1.2 Cipher Suites

Hello - I have a .Net application that accesses an external website to retrieve data. The external website removed TLS 1.1 support and only supports the following TLS 1.2 cipher suites: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 The application works fine when being run from Windows Server 2016 or later (including Win10) but is not able to access the external site when being run on Windows Server 2012 R2 or earlier versions. I understand Server 2008 is end of life but Server 2012 R2 should still be supported, I would think. From what I understand, it appears these specific cipher suites are not available for Server 2012 R2. Will they ever be available, or is there some other way to have my application work with the existing available cipher suites? Thank You

dotnet-csharpwindows-server-2012
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @RustyShort-9392!

Did you find any workarounds for TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 to work under Windows Server 2012 R2?

Is OS update really the only solution?

Regards
Leo

0 Votes 0 ·

Only solution I found was to update the OS. While other software is able to included their own cipher suites, .NET seems to rely on the OS suites.

Good luck.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered RustyShort-9392 commented

Here's what available
https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1


This one shows how you can add them.
https://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/

--please don't forget to Accept as answer if the reply is helpful--





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much for the reply. Looking at the list of "what's available" that you supplied, i do not see the only two that the external site supports:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

listed on that site.

If they are not available to the OS how can they be added? Is there some other way to manually add them if they have not been added via a previous Windows Update?

Thanks again!

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick edited

I'd check that windows is patched fully then they should be available, (from a 2012 R2 server here)

55797-image.png


More info here.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233


--please don't forget to Accept as answer if the reply is helpful--




image.png (51.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RustyShort-9392 avatar image
0 Votes"
RustyShort-9392 answered RustyShort-9392 commented

Once again, thanks for the reply. I'm terribly sorry if I'm missing something for this is definitely something that I'm not very familiar with. That article is very helpful in explaining the way they work, but it seems to address changing the order the ciphers are referenced or disabling specific ciphers, not adding a cipher that the OS does not already contain and support. I'm not sure how that would be done if it is not supported at the OS level. My previous understanding is the only way those are normally added is from a Windows Update.

From information in that post, I searched and found this TechNet post:

https://social.technet.microsoft.com/Forums/en-US/4cdae557-4992-4a7c-ad68-06554bf1b213/how-do-i-add-new-cipher-suiteslisted-below-to-windows-2012-r2-and-windows-2008-r2?forum=winserverPN

Which seems to suggest it may not be possible.

If you can direct me to steps on how to ADD new cipher suites, I would very much appreciate it.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Did you see my screenshot? That is from a patched 2012 R2 server here.


0 Votes 0 ·

Again thanks. The server is fully patched. Looking at the screen shot that you sent above I do not see the two ciphers in question displayed there. The two in need are each "GCM" types:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Viewing this on the server in question, they are not listed.

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered RustyShort-9392 commented

For this 2012 R2 there are there I just had to scroll down a bit to find them.

55814-image.png


--please don't forget to Accept as answer if the reply is helpful--





image.png (53.2 KiB)
image.png (43.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Those you listed are available in Server 2012 R2:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

However, the ones I need are:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Notice the "ECDSA" vs "RSA"

Those don't appear to be the same. However, I may be missing something, for sure.

Thank You



0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered SagarAyadi-1876 commented

Ok, gotcha. Those are not available for Server 2012 R2. They did not show up until Windows 10/Server 2016
https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1607

--please don't forget to Accept as answer if the reply is helpful--


· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks. But, since Windows Server 2012 R2 is still supported by Microsoft, is this something that will be adding in a future Windows Update? This seems important since companies are being told to disable older versions of TLS.

If they will be updated is there any timeframe on this?

0 Votes 0 ·

As workaround, you can add a "SSL Forwarding proxy" (such as WSA from Cisco, suggest you to use search terms "ssl forward proxy" TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" to search for) in between. When the decrypting proxy re-encrypt the connection, as side effect it will now support whatever cipher the proxy supports but the client not supporting.

0 Votes 0 ·

Rusty -- Did you ever get this resolved? I am in the exact same boat. No way I can move a primary business app to 2016 at a moments notice.

Let me know and thanks.

Dan

0 Votes 0 ·

As far as I know it wouldn't be.
https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

--please don't forget to Accept as answer if the reply is helpful--


0 Votes 0 ·

you mean we cannot resolve this on Windows server 2012 R2 ?

0 Votes 0 ·
NixJason-4386 avatar image
0 Votes"
NixJason-4386 answered cheong00 commented

I have a question, too...

We recently ran into issues at 2 customer sites where calls from our .NET Core service using HttpClient fails with Handshake error (40) when posting to an https Apache server. We confirmed no "available" cipher suites in the CLient Hello were accepted by the server. The odd thing is that Postman can run from that same server and it DOES have an acceptable cipher. The one in question that we saw accepted by Postman Client Hello is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and this one ISN'T offered in "our" call (.NET COre 2.8 HttpClient).

We have seen this on both Server 2012 R2 and Server 2016 Standard. I can maybe understand 2012 R2 failing, because it doesn't look like this cipher is available in that OS, but then why does Postman work?

Is there any way to enable this cipher in 2012 R2?

What about 2016? Is it possible that cipher is allowed but just disabled?

This is all a little fuzzy for me still. Also, what tools are you using to see this information above (SSL Cipher Suite Order)?

Thanks in advance,
Jason

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just downloaded it to test. Seems it can leverage Chrome if Chrome is installed in your system.

0 Votes 0 ·
MrDoug-8824 avatar image
0 Votes"
MrDoug-8824 answered

I'm having same issue due to requirements posting to the site: https://www.fcc.gov/media/radio/haat-calculator, if you look at the SSL Labs Cipher Suites for that site, it wants the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Or TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLS 1.2.

Since these are not supported is an OS upgrade the only option to get my program to work on Win Server 2012 R2?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SagarAyadi-1876 avatar image
0 Votes"
SagarAyadi-1876 answered SagarAyadi-1876 published

I am also facing the same issue by any chance we can resolve this issue without Updating the Server from 2012 R2 to 2016 or any other ?

I am stuck with this issue from last two days but nothing helped yet.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MrDoug-8824 avatar image
0 Votes"
MrDoug-8824 answered

I think the OS upgrade is needed. I've tested on newer OS and Windows 10 and everything works. Check out this page for supported versions: https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

Browsers seem to use their own code, but in my .net app there is not much you can do.

Good luck

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.