How to deploy custom cipher suite ordering in Windows Server 2016

This article provides information to help you deploy custom cipher suite ordering for Schannel in Windows Server 2016.

To deploy your own cipher suite ordering for Schannel in Windows, you must prioritize cipher suites that are compatible with HTTP/2 by listing these first. Cipher suites that are on the HTTP/2 (RFC 7540) Black List must appear at the bottom of your list. For example:

Cipher block chaining (CBC) mode cipher suites:

Non-PFS (perfect forward secrecy) cipher suites:

If the cipher suites that are on the Black List are listed toward the top of your list, HTTP/2 clients and browsers may be unable to negotiate any HTTP/2-compatible cipher suite. This results in a failure to use the protocol.

For example, when you use Chrome, you may receive error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY.

The default ordering in Windows Server 2016 is compatible with HTTP/2 cipher suite preference. Additionally, this ordering is good beyond HTTP/2, as it favors cipher suites that have the strongest security characteristics. Therefore, the default ordering makes sure that HTTP/2 on Windows Server 2016 won't have any cipher suite negotiation issues with browsers and clients.

If the failure to use the protocol occurs, you must disable HTTP/2 temporarily while you reorder the cipher suites according to the guidelines in the "More information" section.

To enable and disable HTTP/2, follow these steps:

1. Start regedit (Registry Editor).
2. Move to this subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
3. Set DWORD type value EnableHttp2Tls to one the following:

   • Set to 0 to disable HTTP/2

   • Set to 1 to enable HTTP/2

4. Restart the computer.

For more information, see Cipher suites in TLS/SSL (Schannel SSP).

For more information about HTTP/2, see What is HTTP/2?.