Hi,
I'm trying to figure out how to disable the TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA cipher suite on a Windows Server 2003 Enterprise Edition x64.
In general, I'm trying to disable the weak ciphers, and have figured out which registry keys & values to change based on the article'How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll' on support.microsoft.com kb.
I strongly suspect that the article has some typos regarding DES 56 that are muddying the waters: the heading 'SCHANNEL\Ciphers\RC2 56/56 Subkey:' should read, I think, 'SCHANNEL\Ciphers\DES 56/56 Subkey:'; and I suspect that the cipher suite I'm trying to disable should be in the list under that heading. Can someone confirm that I'm correct in these suspicions?
Also, all the suites I've been directed to disable (having <128 bit keys) are TLS-specific; but can someone tell me if their SSL conterparts are also considered to be weak? e.g. is SSL_RSA_WITH_DES_CBC_SHA considered to be just as weak (and therefore not best practice) as TLS_RSA_WITH_DES_CBC_SHA? I ask this because every key/value discussed in the article affects both the TLS and SSL suite, and my mandate is TLS-specific; but if the SSL ones are likewise non-best-practice, then I'm comfortable disabling them also.
Thanks,
Angus Monro.