Join Log in
Score:2
MasteOfDisaste avatar Server

DTLS Cipher Suites in Windows

gh flag
MasteOfDisaste

I have a very specific question about DTLS and Windows that I can't seem to find on Google. At our company we recently decided to disable specific cipher suites for TLS and only allow the most secure ones, this is our list:

TLS_AES_256_GCM_SHA384

TLS_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

We enforce this list with the GPO found at Computer Configuation > Policies > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order. This appears to be working just fine for us. We have had to fix a few incompatibilities with legacy servers and applications.

In one scenario a user could not RDP through a remote gateway. We determined the problem was the cipher suites and we set it back to default. After looking at a wireshark capture we found that the connection to the RDP gateway connects over 443 initially and uses the above cipher suites just fine, but it then transitions to a DTLS connection over UDP port 3391. The client for the DTLS connection reports it can only use these ciphers:

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

But when those are disabled then it does not work. So number one, why does the client say it can only use the CBC ciphers instead of the GCM ones even though the GCM ones are enabled? The only thing I can figure on that is the packet reports that the DTLS version is 1.0. The CBC ciphers work with TLS 1.0 the GCM ones do not. But we also have TLS 1.0 and 1.1 disabled on the client and we did not re-enable it to get the client to work. Second question, is there a way to set configurations in windows that affect DTLS specifically? Like if I wanted to fix this and force the server to use DTLS 1.2 or some other cipher suite how would I do that?

111
0 + 0
ssl
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.