Is there a reason why you still keep TLS 1.1 enabled with the worry of POODLE and BEAST vulnerabilities? Is this more for compatibility reasons or can we now safely assume that anything that can support 1.1 will support 1.2 and we can disable 1.1 as well?
@@sheeshee5083 I believe if you made a .reg file with the following contents it will force 2048 bit DH. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman] "ServerMinKeyBitLength"=dword:00000800
Thanks for the video, very informative. I am still getting this error when trying to connect to TLS1.2: Failed to connect with TLS1.2 : Error during handshake: the client and server cannot communicate, because they do not possess a common algorithm. (0x80090331) Any thoughts would be appreciated. Thanks!
Hi Kerry. It could be that the client you are trying to connect does not support TLS v1.1 or TLSv1.2 and needs updating. It would be worth checking with the vendor.
Awesome video. Is there an easier way to do this ? What I mean is, a command script to disable Triple DES instead of manually creating the key and then creating a dword value (enable=0)
You can create and set the dwords with a script and pass that through to a csv with all the computer names or prompt the user for a computer name. This is pretty basic stuff.
Excellent content, thank you! This works for Server 2019 as well.
Thank you sir, your solutions works! I tried it on Windows server 2012R2
Happy to help!
Hello, is there a command that I can run on the box itself, or remotely (without Kali) that can tell me what ciphers are enabled? Thank you
I would love to hear this as well.
Thank you! I need to figure out how to do this a work and your videos have been very helpful!
Awesome! Glad it helped :)
how this will be disable "AECDH-AES128-SHA" 128 and 256 . please specify
Is there a reason why you still keep TLS 1.1 enabled with the worry of POODLE and BEAST vulnerabilities? Is this more for compatibility reasons or can we now safely assume that anything that can support 1.1 will support 1.2 and we can disable 1.1 as well?
No reason. You can apply the same principles to disable TLS 1.1 if you wish.
How did you know that that's the right key is there a list? Or name or something?
Thank you very much!
You're welcome!
Thank you really helpful.
Glad it was helpful!
What's that "sslscan" script? Looks useful.
Hi Joey. It comes default on Kali, or you can download it from GitHub - github.com/rbsec/sslscan
Rather than disable Diffie-Hellman, wouldn't it be better to set it to use 2048bit instead?
Hey Ian. Yeah absolutely. The video was made over 3 years ago specifically for those ciphers :)
How do u do that?
@@sheeshee5083 I believe if you made a .reg file with the following contents it will force 2048 bit DH.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800
@@Ian_Butterworth whoaa thank you!!!
I believe we can also do it by setting jdk.tls.ephemeralDHKeySize to 2048.
I'm new to these things, I could be wrong.
Thank you so much
You're most welcome
Thanks for the video, very informative. I am still getting this error when trying to connect to TLS1.2:
Failed to connect with TLS1.2 : Error during handshake: the client and server cannot communicate, because they do not possess a common algorithm. (0x80090331)
Any thoughts would be appreciated. Thanks!
Hi Kerry.
It could be that the client you are trying to connect does not support TLS v1.1 or TLSv1.2 and needs updating. It would be worth checking with the vendor.
@@phr33fall83 thanks for your response sir!
Awesome video. Is there an easier way to do this ?
What I mean is, a command script to disable Triple DES instead of manually creating the key and then creating a dword value (enable=0)
You can create and set the dwords with a script and pass that through to a csv with all the computer names or prompt the user for a computer name. This is pretty basic stuff.
There is software called IISCrypto that will take a lot of the manual work out. www.nartac.com/Products/IISCrypto
How can i rollback?