I am working on trying to make sense of what is required for both PCI DSS compliance as well as FIPS compliance in relation to SSL/TLS cipher suites. I have been reading the guide here and here. However, I have not been able to find anything that states what order or priority I should list the ciphers in. I can see which ones I need to use and disable, but I assume that there is a priority that should be followed for them as well. This is primarily for Windows servers and then later I would look at performing the same to Linux servers running Apache.
SSL/TLS Cipher Priority
fips-140-2pci-dssssltls
Related Topic
- Apache – How to Fix ‘Logjam’ Vulnerability in Apache (httpd)
- Openvpn, option tls-cipher not working, no shared cipher
- Ssl – The client and server cannot communicate, because they do not possess a common algorithm on Windows Server Web 2008
- IIS 8.5 server not accepting a TLS 1.0 connection from Windows Server 2003
- Windows – Removing vulnerable cipher on Windows 10 breaks outgoing RDP
Best Answer
It depends on the version of Windows/IIS. In 2003 (IIS 6) and earlier, this can't be done. You can only enable/disable ciphers. In Windows 2008 (IIS 7) and later, you can do this through a GPO (if you're domain joined, and I'm guessing this server isn't if it's PCI compliant).
More info here: http://technet.microsoft.com/en-us/library/cc766285(v=ws.10).aspx