How to control the ciphers for SSL and TLS (216482)


The information in this article applies to:

  • Microsoft Internet Information Services version 6.0
  • Microsoft Internet Information Services 5.0
This article was previously published under Q216482
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SUMMARY

Secure Socket Layer (SSL) and Transport Layer Security (TLS) both have the ability to use different ciphers, depending on the abilities of the connecting client. By default, all ciphers can be used; however, you can also choose the ciphers you want to allow (for example, only allowing RC4 using 64/128 and Skipjack for Fortezza). It is important to note that changing these values will affect ciphers on the entire computer. Internet Explorer, for example, uses the same registry entries to determine the ciphers that are available for use.

MORE INFORMATION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

To choose the ciphers you want to allow, perform the following steps:
  1. Click Start, point to Run, and type "Regedt32.exe" (without the quotation marks).
  2. Locate the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProvid ers\SCHANNEL\Ciphers

  3. In the list of available ciphers, select one of the ciphers you do not want to use. In the right pane, view the "Enabled" value for this entry. The value can be one of the following:

    0xffffffff (enabled)
    0x0 (disabled)

  4. Click Enabled, choose Edit, and then choose Modify.
  5. In the "Edit DWORD Value" window, make sure that the Value is set to Enabled and that the Base Value is set to Hexadecimal.
  6. In the Value Data box, delete the previous value and change it to enabled or disabled by entering 0 (zero) for disabled, or "ffffffff" (without the quotation marks) for enabled.
  7. Click OK.
  8. Restart the computer.

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

245030 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

Modification Type:MinorLast Reviewed:8/8/2006
Keywords:kbhowto KB216482
©2004 Microsoft Corporation. All rights reserved.