Microsoft Windows SSL / TLS Configuration

The intent of this repository is to provide working configuration settings that can be used to implement SSL and TLS with various levels of compatibility and security.

If the information and settings in this repository are correct then Ivan Ristic's blog and book Bulletproof SSL and TLS or Adam Langley's blog are likely to thank.

If anything in this repository is incorrect then it is definitely my fault. Corrections and suggestions are greatly appreciated via GitHub or Twitter at @TomSellers

Note: The filenames contain information about platform and compatiblity. You may need to change to the Github file listing view to easily see the full filename.

Particular details to keep in mind

• Android supports TLS 1.0 since 2.3
• Windows XP does not support AES cipher suites
• Windows Server 2003 does not support AES natively, but support was added in KB948963
• Windows Server 2003 and XP with IE 6 support TLS 1.0 after a configuration change.
• Windows Server 2003 and XP with IE 8 support TLS 1.0 by default.
• Settings provided in this repository impact how the Windows operating sytem handles SSL and TLS. This affects all applications that do not use their own libraries for SSL and TLS.

Terminology usage in this repository

• 'Max Compability' indicates TLS protocol support for SSL 3.0 and TLS 1.0, 1.1, 1.2
• 'High Security' indicates cipher suite settings that break Internet Explorer 6 era code by removal of RC4 and 3DES.

General Process

1. Select a Cipher_Suites file matching your desired level of compatibility and security. Cipher suite selection dictate:

2. Key agreement/key exchange protocols such as RSA, DSA, DH, ECHE, ECDHE

3. Symetric encryption algorithms such as AES, RC4, 3DES

4. Message authentication algorithms such as MD5, SHA1, SHA256, SHA384

5. Select an SChannel_config matching your level level of compatibility and security. SChannel settings dictate:

6. SSL / TLS protocols supported such as SSL 2.0, 3.0, and TLS 1.0, 1.1, 1.2

7. Enabling or disabling certain ciphers entirely such as NULL, DES, RC2, RC4

8. Download these to your server.

9. Review all the settings and make sure you understand them! ** NO WARRANTY **

10. Double click to install each, review and accept each warning message.

11. Restart the server.

12. Test with the Qualys' SSL Labs site - https://www.ssllabs.com/ssltest/analyze.html

13. Test with representative clients.

References

• SSL / TLS Browser compatibility chart - Wikipedia
• Microsoft patch to add limited AES support to Windows Server 2003 - KB948963
• Cipher Suites in Microsoft Schannel
• How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll