Share via


SSL Labs - This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B.

Windows Server 2012

Website running on Windows Server 2012 R2.

When testing the website on the SSLLabs https://www.ssllabs.com/ssltest you may receive the message below:

"This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B."

SSL Labs

From SSL Labs website:

"Grade will be capped to B, if AEAD suites are not supported. As with forward secrecy, we will not penalize sites if they continue to use non-AEAD suites provided AEAD suites are negotiated with clients that support them."

From <https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update>

 

Ciphers available on Windows Server 2012 R2

/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-8-1

 

The following cipher suites supports AEAD encryption on Windows Server 2012 R2:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

 

The first 3 ciphers listed above are ECDSA ciphers and need an ECDSA certificate with an ECC public key. If you are using a RSA certificate, those ciphers are not used.

 

The other 2 ciphers use DHE. If you enable those 2 ciphers on your webserver, the SSLLabs test will cap your grade to B because the default DHE on Windows uses a 1024 bytes key and it will be marked as "weak".

SSLLabs message: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

 

To fix it, you can increase the DHE key size to 2048 adding the registry key below:

 

/en-us/security-updates/securityadvisories/2016/3174644

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

"ServerMinKeyBitLength"=dword:00000800

 

Using this setting you will have a AEAD cipher that is not classified as "weak" and SSLLabs will give you an A Grade.

 

 

Windows 2016

Windows Server 2016 has other cipher suites that support AEAD and don't use DHE.

 

Ciphers available on Windows Server 2016

/en-us/windows/desktop/secauthn/tls-cipher-suites-in-windows-10-v1607

 

IISCrypto

 

IISCrypto is a good tool to set TLS parameters and modify the ciphers used on Windows

https://www.nartac.com/Products/IISCrypto/Download