Update to add new cipher suites to Internet Explorer and Microsoft Edge in Windows

About this update
This article describes an update in which new TLS cipher suites are added and cipher suite default priorities are changed in Windows RT 8.1, Windows 8.1, Windows Server 2012 R2, Windows 7, or Windows Server 2008 R2. These new cipher suites improve compatibility with servers that support a limited set of cipher suites.

Note This is changing the default priority list for the cipher suites. If you have deployed a Group Policy in your environment that has an updated cipher suite priority ordering, this update won't affect those computers where the Group Policy is deployed.
How to get this update
To get this feature, install one of the following update rollups based on your operating system:
Status
Microsoft has confirmed that this is an update in the Microsoft products that are listed in the "Applies to" section.
References
Learn about the terminology that Microsoft uses to describe software updates.
More information
For more information about cipher suites, see Cipher Suites in Schannel.

New cipher suites

Cipher suiteFIPS mode enabledProtocolsExchangeEncryptionHash
TLS_DHE_RSA_WITH_AES_128_CBC_SHAYesTLS 1.2, TLS 1.1, TLS 1.0DHEAESSHA1
TLS_DHE_RSA_WITH_AES_256_CBC_SHAYesTLS 1.2, TLS 1.1, TLS 1.0DHEAESSHA1

New default priority order for these versions of Windows

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_RSA_WITH_3DES_EDE_CBC_SHATLS_DHE_DSS_WITH_3DES_EDE_CBC_SHATLS_RSA_WITH_RC4_128_SHATLS_RSA_WITH_RC4_128_MD5TLS_RSA_WITH_NULL_SHA256TLS_RSA_WITH_NULL_SHASSL_CK_RC4_128_WITH_MD5SSL_CK_DES_192_EDE3_CBC_WITH_MD5


To configure the SSL Cipher Suite Order Group Policy setting, follow these steps:
  1. At a command prompt, enter gpedit.msc, and then press Enter. The Local Group Policy Editor is displayed.
  2. Go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.
  3. Under SSL Configuration Settings, select SSL Cipher Suite Order.
  4. In the SSL Cipher Suite Order pane, scroll to the bottom.
  5. Follow the instructions that are labeled How to modify this setting.
Notes
  • You have to restart the computer after you change this setting for the changes to take effect.
  • The list of cipher suites is limited to 1,023 characters.
  • Using Group Policy as described here is the supported method of updating the cipher suite priority ordering. Updating the registry settings for the default priority ordering isn't supported. If you change these registry settings, this update will reset them to the default settings.
Properties

Article ID: 3161639 - Last Review: 06/21/2016 16:44:00 - Revision: 1.0

Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows 8.1 Enterprise, Windows 8.1 Pro, Windows 8.1, Windows RT 8.1, Windows Server 2008 R2 Service Pack 1, Windows 7 Service Pack 1

  • kbqfe kbsurveynew kbfix kbexpertiseadvanced KB3161639
Feedback