Exchange TLS & SSL Configuration to achieve an A rating from SSLLabs

My test Exchange Server with Exchange 2013 on Windows Server 2012 R2, I was able to achieve an A rating from SSLLabs by disabling SSL 3.0, removing RC4 ciphers, and enabling AEAD encryption . This is nearly as good as one can achieve at this time.

Disable support for SSL 3.0 on the server:

Remove RC4 Ciphers:


Ciphers available on Windows Server 2012 R2:

The following cipher suites supports AEAD encryption on Windows Server 2012 R2:


To enable the required encryption, download IISCrypto from Nartac software. I had to enable the following Ciphers:


Then move them to the top of the Ciphers list.


SSLLabs message: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

To fix it, you can increase the DHE key size to 2048 adding the registry key below:


Using this setting you will have a AEAD cipher that is not classified as “weak” and SSLLabs will give you an A Grade.

Leave a Reply