SSL Labs - This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B.
Windows Server 2012
Website running on Windows Server 2012 R2.
When testing the website on the SSLLabs https://www.ssllabs.com/ssltest you may receive the message below:
"This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B."
SSL Labs
From SSL Labs website:
"Grade will be capped to B, if AEAD suites are not supported. As with forward secrecy, we will not penalize sites if they continue to use non-AEAD suites provided AEAD suites are negotiated with clients that support them."
Ciphers available on Windows Server 2012 R2
/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-8-1
The following cipher suites supports AEAD encryption on Windows Server 2012 R2:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
The first 3 ciphers listed above are ECDSA ciphers and need an ECDSA certificate with an ECC public key. If you are using a RSA certificate, those ciphers are not used.
The other 2 ciphers use DHE. If you enable those 2 ciphers on your webserver, the SSLLabs test will cap your grade to B because the default DHE on Windows uses a 1024 bytes key and it will be marked as "weak".
SSLLabs message: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
To fix it, you can increase the DHE key size to 2048 adding the registry key below:
/en-us/security-updates/securityadvisories/2016/3174644
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800
Using this setting you will have a AEAD cipher that is not classified as "weak" and SSLLabs will give you an A Grade.
Windows 2016
Windows Server 2016 has other cipher suites that support AEAD and don't use DHE.
Ciphers available on Windows Server 2016
/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-10-v1607
IISCrypto
IISCrypto is a good tool to set TLS parameters and modify the ciphers used on Windows