Choose the Right Cipher Suites in Schannel.dll

Learn How to Use Only Certain Cryptographic Algorithms and Protocols in Schannel.dll

Setting up your server correctly on Windows is important if you want to ensure you’re actually using the encryption algorithms to protect data that goes from the client (web browser) to the server and back again. On this page, we have some basic information on choosing the right Cipher Suite to use with your Windows Server as well as how to set it up. It’s a good idea to only activate the particular ones you’re going to be using and to disable the rest. Also note that SSL 2.0 and others may not be turned on by default.

Understanding Cipher Suites and Schannel.dll

Before getting to what you need to do to change which Cipher Suites are used and which Cryptographic Algorithms and Protocols are used, we’re going to briefly explain the Schannel.dll file, including how it uses Cipher Suites to determine which security protocols to use. This is set-up in the Registry for Windows and isn’t difficult to do. The instructions do vary a little depending what operating system and web server you’re using.

What is Schannel.dll?

Simply put, Schannel.dll is a library that is the main Microsoft TLS / SSL Security Provider. It stands for Secure Channel and is used by Microsoft Web Servers, including Windows Server 2003, Windows Server 2008, Windows 7, Windows Server 2008 R2 and others, including older ones like Windows XP and Windows NT even. We’ll have more about the differences below, but for now just know that Schannel.dll is used to determine what protocol to use.

What is a Cipher Suite?

A cipher suite is nothing more than a set of cryptographic algorithms. Schannel protocols use the various algorithms from a particular cipher suite to create keys and encrypt information. In general, a cipher suite will specify one algorithm for each of the following three tasks:

  • Key exchange – These algorithms are asymmetric (public key algorithms) and perform good with small amounts of data. They’re used to protect information required to create shared keys for secure transactions.
  • Bulk encryption – This task will encrypt messages exchanged between clients and servers. These algorithms are symmetric and tend to perform very well, even with large amounts of data being transferred.
  • Message authentication – These algorithms generate message hashes and signatures that ensure the integrity of a message.

All of the above use ALG_ID – a data type that specifies an algorithm identifier – to let the operating system know which Cipher Suite to use. You can see a list of all available Cipher Suites available to Schannel.dll at the Microsoft website here.

Changing the Cipher Suites in Schannel.dll

Now that you know a little more about cipher suites and Schannel.dll, it’s time to go over how to change which Cryptographic Algorithms and Protocols are actually used. It’s important to note that even if you change what Schannel.dll uses, the software you’ll be using must also support the protocols. Here is a list of the various Windows operating systems that you may be using as a server.

  • Windows Server 2012 Standard
  • Windows Server 2012 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Datacenter
  • Windows 7 Enterprise
  • Windows 7 Professional
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Server 2008 Datacenter
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Server 4.0 Enterprise Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition

Windows NT 4.0 Service Pack 6, Windows 2000, Windows XP, Windows 2003

First, we’re going to look at Windows 2003 operating systems and earlier. To switch different protocols on and off, you must first use Regedt32.exe to locate the following Registry key:

 

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL

Next, we are going to go over the various subkeys that are available – and where you want to make your changes. Basically, to enable one of the below, set its DWORD value data to 0xffffffff or set it to 0x0 to disable that particular subkey.

  • SCHANNELProtocols – To enable the system to use the protocols that will not be negotiated by default (such as TLS 1.1 and TLS 1.2), change the DWORD value data of the DisabledByDefault value to 0x0 in the following registry keys under the Protocols key:
  • SCHANNELCiphers subkey – The Ciphers registry key under the SCHANNEL key is used to control the use of symmetric algorithms such as DES and RC4. The following are valid registry keys under the Ciphers key.
  • SCHANNEL/Hashes subkey – The Hashes registry key under the SCHANNEL key is used to control the use of hashing algorithms such as SHA-1 and MD5. The following are valid registry keys under the Hashes key.
  • SCHANNEL/KeyExchangeAlgorithms subkey – The KeyExchangeAlgorithms registry key under the SCHANNEL key is used to control the use of key exchange algorithms such as RSA. The following are valid registry keys under the KeyExchangeAlgorithms key.

Source: Microsoft Knowledge Base

NOTE: For the Schannel.dll file to recognize any changes under the SCHANNEL registry key, you must restart the computer.

Windows 7, Windows Server 2008 and Later

For newer operating systems, the Registry is set-up a little different. Here’s the keys you’re going to want to work with to turn certain protocols on or off. To enable one of the below, set its DWORD value data to dword:00000001 or set it to dword:00000000 to disable that particular subkey.

  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannel]
  • “EventLogging”=dword:00000001
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCiphers]
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCipherSuites]
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelHashes]
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelKeyExchangeAlgorithms]
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocols]
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 2.0]
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 2.0Client]
  • “DisabledByDefault”=dword:00000001

Windows Server 2008 supports the following protocols:

  • SSL 2.0
  • SSL 3.0
  • TLS 1.0

Windows Server 2008 R2 and Windows 7 support the following protocols:

  • SSL 2.0
  • SSL 3.0
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2

Source: Microsoft Knowledge Base

NOTE: For the Schannel.dll file to recognize any changes under the SCHANNEL registry key, the server must be restarted.

Case Study: Enable TLS 1.2 Ciphers in IIS 7.5, Server 2008 R2, Windows 7

Over at Derek Seaman’s Blog, he came up with a nifty PowerShell script back in 2010 to help with enabling TLS 1.2 ciphers – which AES-256 encryption with SHA-256 hashes.

Cipher Suites in Schannel.dll

If you have any questions about Cipher Suites in Schannel.dll or anything else related to SSL certificates and ensuring your website visitors’ data is safe at all times, don’t hesitate to contact us. We’ll do our best to answer your questions and point you in the right direction.