How to force Diffie–Hellman key exchange to be 2048

This seems to be a default setting on Windows 2016. For Windows 2012 your sslabs score can be capped to B if you use 1024 bit cipher.

You need to add the following entry to your registry.

run->regedit

Access the following registry location:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

Vlid key values are decimal: 1024, 2048, 3072 and 4096.
Add the following DWORD-32bit value in decimal:
“ServerMinKeyBitLength”=2048 or 00000800(in hex)

Please remember always test it before using in production as some browser may stop displaying your website if you dont support right ciphers.

More info can be found her

https://msdn.microsoft.com/en-us/library/windows/desktop/mt767781(v=vs.85).aspx

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.