I'm experiencing issues receiving TLS encrypted e-mail from a specific domain. We entered into an agreement to use a 256-bit cipher and apparently our Exchange 2007 server on Windows Server 2003 isn't offering that up as an option, thus everything is getting rejected for only offering 128-bit encryption.
Rather than have them change things on their end, I'd like to resolve it on ours. I found a hotfix that allows me to add 256-bit AES ciphers to the list of available ciphers. I installed the hotfix, but it did not resolve my issue.
After reading this article, I'm suspecting that our Exchange 2007 server's cipher order is offering up 128-bit encryption first, and then the remote server is RSET'ing the connection when we do so. I'd like to verify that our server is offering up the 256-bit encryption option first.
The Computer Configuration | Administrative Templates | Network | SSL Configuration Settings | SSL Cipher Suite Order key doesn't exist on my Windows Server 2003 Exchange box, so I can't modify it.
Does ANYONE have any clue about how to go about resolving this issue?
Best Answer
Apparently it is not possible to reorder the SSL Cipher Suite. My Windows Server 2003 Exchange 2007 server will always and forever offer AES-128 before AES-256 unless I disable the use of AES-128 by modifying the following registry key.
With Windows Server 2008, you can just change the SSL Cipher Suite Order.