Warning: The retired, out-of-support Internet Explorer 11 desktop application has been permanently disabled through a Microsoft Edge update on certain versions of Windows 10. For more information, see Internet Explorer 11 desktop app retirement FAQ.
About this update
This article describes an update in which new TLS cipher suites are added and cipher suite default priorities are changed in Windows RT 8.1, Windows 8.1, Windows Server 2012 R2, Windows 7, or Windows Server 2008 R2. These new cipher suites improve compatibility with servers that support a limited set of cipher suites.
Note This is changing the default priority list for the cipher suites. If you have deployed a Group Policy in your environment that has an updated cipher suite priority ordering, this update won't affect those computers where the Group Policy is deployed.
How to get this update
To get this feature, install one of the following update rollups based on your operating system:
Status
Microsoft has confirmed that this is an update in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.
More information
For more information about cipher suites, see Cipher Suites in Schannel.
|
Cipher suite |
FIPS mode enabled |
Protocols |
Exchange |
Encryption |
Hash |
|---|---|---|---|---|---|
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
Yes |
TLS 1.2, TLS 1.1, TLS 1.0 |
DHE |
AES |
SHA1 |
|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
Yes |
TLS 1.2, TLS 1.1, TLS 1.0 |
DHE |
AES |
SHA1 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5
To configure the SSL Cipher Suite Order Group Policy setting, follow these steps:
-
At a command prompt, enter gpedit.msc, and then press Enter. The Local Group Policy Editor is displayed.
-
Go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
-
Under SSL Configuration Settings, select SSL Cipher Suite Order.
-
In the SSL Cipher Suite Order pane, scroll to the bottom.
-
Follow the instructions that are labeled How to modify this setting.
Notes
-
You have to restart the computer after you change this setting for the changes to take effect.
-
The list of cipher suites is limited to 1,023 characters.
-
Using Group Policy as described here is the supported method of updating the cipher suite priority ordering. Updating the registry settings for the default priority ordering isn't supported. If you change these registry settings, this update will reset them to the default settings.
