How to Control the Ciphers for SSL and TLS

ID: Q216482

The information in this article applies to:
  • Microsoft Internet Information Services version 5.0
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

Secure Socket Layer (SSL) and Transport Layer Security (TLS) both have the ability to use different ciphers, depending on the abilities of the connecting client. By default, all ciphers can be used; however, you can also choose the ciphers you want to allow (for example, only allowing RC4 using 64/128 and Skipjack for Fortezza). It is important to note that changing these values will affect ciphers on the entire computer. Internet Explorer, for example, uses the same registry entries to determine the ciphers that are available for use.


MORE INFORMATION

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).


To choose the ciphers you want to allow, perform the following steps:

  1. Click Start, point to Run, and type "Regedt32.exe" (without the quotation marks).


  2. Locate the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProvid
    ers\SCHANNEL\Ciphers


  3. In the list of available ciphers, select one of the ciphers you do not want to use. In the right pane, view the "Enabled" value for this entry. The value can be one of the following:

    0xffffffff (enabled)
    0x0 (disabled)


  4. Click Enabled, choose Edit, and then choose Modify.


  5. In the "Edit DWORD Value" window, make sure that the Value is set to Enabled and that the Base Value is set to Hexadecimal.


  6. In the Value Data box, delete the previous value and change it to enabled or disabled by entering 0 (zero) for disabled, or "ffffffff" (without the quotation marks) for enabled.


  7. Click OK.


  8. Restart the Internet Information Services for the changes to take effect.


Additional query words: cipher algorithm ssl tls

Keywords :
Version : winnt:5.0
Platform : winnt
Issue type : kbhowto


Last Reviewed: February 2, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.