0

I have a server using: Key Exchange: ECDHE_RSA (0xae06) 256bits

I would like to change this to : Key Exchange: RsaKeyX 2048bits

Is this something that can be done at the server level or is this set in the SSL Certificate being used? IF changeable does it require a reboot of the server after changing it?

Thank you!

Improve this question
3
  • The used TLS cipher is negotiated between server and client. You can only limit the supported ciphers on server or client side (it is unclear what side you are talking about). But if your favorite cipher is not supported by the server/client than negotiation will fail. And how to change the supported cipher list depends on the used software.
    – Robert
    Commented Mar 10, 2021 at 12:50
  • This is on the server side (iis 8.5 windows server 2012 r2). If I understand you correctly Robert you're saying that the list of TLS Ciphers and the order of those ciphers determines which type of key exchange is used? In the farm where the mass approval is working the cipher suite order was enabled but not in the farm where it was failing. So I ordered the list on the nonworking farm and it had zero effect. The key Exchange listed in fiddler is the only difference I'm seeing and the order of the cipher suites didn't effect it.
    – VACoder
    Commented Mar 11, 2021 at 23:09
  • If the server is public you can test the supported TLS version and ciphers e.g. using ssllabs.com/ssltest For understanding what ciphers the client allows and what the server chooses I recommend to you to use Wireshark e.g. on client side. Look at the CLIENT_HELLO and SERVER_HELLO packets they contains everything you need to know to understand the cipher negotiation.
    – Robert
    Commented Mar 12, 2021 at 8:01

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .