I want to start off by saying that I am not an expert in regards to networking or Wireshark but I do have a background in web development, particularly .net and iis/windows server.
I am trying to add a couple of ciphers in the Cipher Suites of my server. This is because the server I am connecting to made a patch to theirs and requested people connecting to them with these ciphers added. I am currently getting a TLS Handshake Failure when I connect to them.
These are the ones I need:
ECDHE-RSA-AES128-GCM-SHA256(OpenSSL) - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE-RSA-AES256-GCM-SHA384(OpenSSL) - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
I added the Cipher Suite equivalent, which should be the ones I actually need.
Even though I added them (using gpedit.msc and iiscrypto), I have them placed on the first part of the whole cipher list, it does not seem to show up when I trace it in Wireshark.
IISCrypto
Update: Ciphers from image above are changed to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL Ciperh Suite Order
TLS__ECDHE_RSA_AES128_GCM_SHA256,TLS_ECDHE_RSA_AES256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Wireshark Trace the 3 highlighted ciphers do not appear on the trace
What are the common causes of this?
UPDATE: Confirming that the the server accepts the ciphers requested thru nmap.
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
Best Answer
I think your question is based on a misunderstanding of how the TLS handshake and specifically the cipher selection works and what you can see on the wire.
The cipher selection is done by the client sending a list of ciphers the client accepts and the server then selecting one cipher from this client offer. This means only the ciphers acceptable by the client are included in the TLS handshake. The list of ciphers acceptable by the server are not included in the handshake and that's why you cannot see it.
You can only get the ciphers supported by the server by using a client configuration which only offers this specific cipher. If the server accepted the cipher it will support it, if not it (most likely) will not support it. And that's exactly what the nmap command you've used does - just tries lots of different ciphers and checks if the handshake succeeds.