W2012 How to turn off TLS_RSA_WITH_3DES_EDE_CBC_SHA

pci-compliance
Austin picture Austin · Jan 17, 2017 · Viewed 10.8k times · Source

My PCI scans are failing on my win 2012 R2 server because of this.

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1

They told me it was this one DES-CBC3-SHA I believe Microsoft refers to it as TLS_RSA_WITH_3DES_EDE_CBC_SHA

I would prefer to turn this off using the registry. Anyone know how? Thanks.

Answer

Austin picture Austin · Jan 21, 2017

I figured it out. On win 2012 r2 all you have to do is add this reg key. It takes effect immediately. REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] "Enabled"=dword:00000000

I verified it works using: https://www.ssllabs.com/ssltest/analyze.html

Related questions

Turning expose_php OFF in php.ini

I have been advised that having expose_php = On in my php.ini is a security issue and is, therefor, not PCI compliant. My research on it so far suggests that turning it off is low risk and will essentially …

Read More
Saving credit card information in MySQL database?

I want to allow my customer users to enter their credit card information so that I can charge them every month. I wonder how one should save this information? Should it be saved in the MySQL database ("user" table) or …

Read More
upgrade openSSH 7.2p in ubuntu 14.04

I have a server running Ubuntu 14.04, but I have an issue with PCI requirements. I have installed in my server OpenSSH 6.6p1, then I upgraded it to OpenSSH 7.2p, compiling the code with make and make install directly from repositories …

Read More