How to use 256 bit SSL in IIS 6.0

 

3 steps:

 

1. Install the fix https://support.microsoft.com/kb/948963 which will install the cipher sutes AES 128 and AES 256.

2. The order of cipher suites on Windows 2003 is hard-coded. AES 128 is the highest priority. AES 256 is the next. We only need to disable AES 128 then AES 256 will have the highest priority.

a. Open regedit.exe on IIS 6.0 machine.

b. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers. You should be able to find there are many subkeys, e.g. AES 128/128.

c. In subkey AES 128/128, create a DWORD value “Enabled”. Set it as the value 0. It means we would disable AES 128.

3. Reboot the IIS 6.0 machine.

 

On Vista/Windows7 which support AES 256 machine, you can use IE to browse that IIS 6.0 web site through HTTPS. The SSL uses 256 bit encryption.

 

Regards,

 

Xin Jin

Comments

• Anonymous
  August 24, 2010
  Thanks this article was very helpful to me. There a number of comments on various sites that claim 256 bit encryption is not supported on windows 2003 (although this was the case initially). This page provides the most up to date information.
• Anonymous
  March 22, 2011
  Hi Xin Jin,Thanks your article. It is very helpful to me. I also want to ask you about how to disable cipherTLS_RSA_EXPORT1024_WITH_DES_CBC_SHATLS_RSA_EXPORT1024_WITH_RC4_56_SHATLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5TLS_RSA_EXPORT_WITH_RC4_40_MD5TLS_RSA_WITH_DES_CBC_SHATLS_RSA_WITH_RC4_128_MD5TLS_RSA_WITH_RC4_128_SHAThanks,Don
• Anonymous
  April 03, 2011
  Don you may check this article:245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dllsupport.microsoft.com/default.aspx
• Anonymous
  April 20, 2011
  After installing KB980436 it is not possible to install this hotfix. :(