5

I recently became aware that following the release of patch KB2992611 in November, Microsoft made available four new cipher suites for schannel (and thus IIS);

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256

I'm also aware that problems were reported with this patch and the above four ciphers, resulting in the patch being temporarily pulled and the above cipher suites left disabled by default.

My question is two-fold;

  1. Has this now been corrected, and are the above cipher suites safe to use on a web server running IIS 7.5 and above?

  2. Which would be considered 'best' out of the the following two options;

    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

In other words, are the ecliptic curve elements of the second option (ECDHE_RSA) outweighed by the superior version of AES that the first offers (AES_GCM)?

And finally, does the advice here vary at all between 2008 R2, 2012 and 2012 R2?

Steve365
  • 1,253
  • 9
  • 16
  • Generally speaking the main reason you would prefer a ECDHE cipher over a DHE cipher is for server performance. An answer for your question about those two ciphers would require more information on your server load, clients in use, etc. – Bad Dos Apr 16 '15 at 16:49

1 Answers1

4

Having read around this some more I have come to the following conclusions;

  • The DH parameters Microsoft used in TLS_DHE_RSA_WITH_AES_128_GCM / TLS_DHE_RSA_WITH_AES_256_GCM are, for compatibility reasons, only 1024 bits in length and are thus considered 'weak'.

  • The new cipher suites continue to not be present in the default cipher suite priority due to reported incompatibility issues (notably with MS SQL server).

  • AES CBC is considered secure on a fully patched IIS server

  • Windows 10 (and presumably the corresponding next version of Windows server) will have ECDHE_RSA with AES_GCM

On that basis I will continue to prefer TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 over the newer TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 on current servers and look to upgrade in the future when Windows 10 / Server 'Next' becomes available.

References

https://community.qualys.com/thread/14821 https://www.nartac.com/Products/IISCrypto/FAQ.aspx https://community.qualys.com/thread/13294 https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Key_exchange_algorithms_.28certificate-only.29

Steve365
  • 1,253
  • 9
  • 16