IIS Crypto 3.2 not getting rid of Diffie Hellman algorithms of less than 2048 bits ... or am I missing something?

Mick8695

9/5/23, 3:47 PM

I'm trying to stop a server using Diffie Hellman algorithms of less than 2048 bits ..but I'm getting confusing results

I've run

Get-TlsCipherSuite | Format-Table Name, Exchange, Cipher, Hash, Certificate

and I can see

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

......all of which I know to use only 1024 bits

I've run IIS crypto 3.2 and set the DHE minimum Key Length to 2048 and rebooted...but I can still see the 4 cipher suites above when I run the Get-TlsCipherSuite command.... Is IIS crypto actually doing what I want it to do? Am I missing something?..am I misunderstanding something? any help gratefully received

thanks

0 + 0

tls

key-size

diffie-hellman

bmm6o

9/5/23, 3:54 PM

This sounds like a question about software configuration. You'll probably have better like in an IIS forum or maybe ServerFault.

Mick8695

9/5/23, 5:31 PM

it does say "Cryptography" at the top of this website

Score:1

Crypto

poncho

9/5/23, 4:14 PM

In the TLS protocol, the group size is not tied to the ciphersuite (in TLS 1.2, whether you use a group at all is; however the size is not). That is, there is no specific reason why insisting on a 2048 bit group size (which is quite sensible) should disable the listed ciphersuites.

Now, it's possible that whatever software you're running does tie them together. However, unless you specifically know that's the case, I wouldn't assume that...

0 + 0

Mick8695

9/5/23, 5:34 PM

Hi, do you know of a way that I could prove that I am not still using Diffie -Hellman less than 2048 bits? I've researched the internet , used nmap/zenmap and Diffie-Hellman sizes of 1024 are still showing in there...whether the server is actually using them or not..I just don't know.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: IIS Crypto 3.2 not getting rid of Diffie Hellman algorithms of less than 2048 bits ... or am I missing something?

TH: IIS Crypto 3.2 ไม่ได้กำจัดอัลกอริธึม Diffie Hellman ที่น้อยกว่า 2048 บิต ... หรือฉันพลาดอะไรไปหรือเปล่า

RO: IIS Crypto 3.2 nu scapă de algoritmii Diffie Hellman de mai puțin de 2048 de biți... sau îmi lipsește ceva?

RU: IIS Crypto 3.2 не избавляется от алгоритмов Диффи Хеллмана менее 2048 бит ... или я что-то упустил?

VI: IIS Crypto 3.2 không loại bỏ các thuật toán Diffie Hellman dưới 2048 bit ... hay tôi đang thiếu thứ gì đó?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.