Home > Software engineering >  Powershell Enable-TlsCipherSuite
Powershell Enable-TlsCipherSuite

Time:12-18

I am looking to enable TLS ciphers on a Windows 10 Pro 21h1 Operating system. I am planning to use the following PowerShell commands and apply these to multiple devices via an MDM solution.

Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" -position 0
Enable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" -position 1

Does it matter what position these appear in the array of ciphers? I read over the MSFT docs and I do not see anything mentioned about positioning requirements.

CodePudding user response:

Yes Cipher order is important, Get-TlsCipherSuite returns an ordered list. That order is respected when the server is negotiating a cipher to use. You want to ensure your strongest ciphers at the top of the list, and any weaker ones you need to support are at end of the list (and its generally a good idea to remove all the really weak ones eg Disable-TlsCipherSuite -Name 'TLS_RSA_WITH_NULL_SHA')

Calling Enable-TlsCipherSuite with -position 0 will insert the new Cipher at the top of the list. Calling Enable-TlsCipherSuite without the -position param (or specifying -position 4294967295) will append the Cipher Suite to the end of the list.

  • Related