Exchange TLS & SSL Configuration to achieve an A rating from SSLLabs

My test Exchange Server with Exchange 2013 on Windows Server 2012 R2, I was able to achieve an A rating from SSLLabs by disabling SSL 3.0, removing RC4 ciphers, and enabling AEAD encryption . This is nearly as good as one can achieve at this time.

Disable support for SSL 3.0 on the server:

Remove RC4 Ciphers:

 

Ciphers available on Windows Server 2012 R2:

The following cipher suites supports AEAD encryption on Windows Server 2012 R2:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

To enable the required encryption, download IISCrypto from Nartac software. I had to enable the following Ciphers:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Then move them to the top of the Ciphers list.

 

SSLLabs message: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

To fix it, you can increase the DHE key size to 2048 adding the registry key below:

https://docs.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

Using this setting you will have a AEAD cipher that is not classified as “weak” and SSLLabs will give you an A Grade.

Leave a Reply