Forums
VHT Forums
Microsoft Windows
Add legacy SSL ciph...
 
Share:
Notifications
Clear all

[Solved] Add legacy SSL ciphers back to Windows 11 24H2

 
    Last Post
RSS

Brandon Lee
Posts: 544
 Brandon Lee
Admin
Topic starter
Apr 17, 2025 11:24 am
(@brandon-lee)
Member
Joined: 15 years ago

One issue I have found in troubleshooting a connection to a legacy SQL Server is that Windows 11 24H2 seems to have deprecated legacy ciphers even further than previous versions of Windows 11. Now, the ciphers are not even there. Previously I could launch IIS Crypto and enable all the legacy ciphers, but this didn't work in 24H2. So, I set about looking to see what had changed.ย 

Apparently, Windows 11 24H2 removes the following ciphers:

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_RC4_128_SHA

  • TLS_RSA_WITH_RC4_128_MD5

So, these have to be added back and enabled.

PowerShell code to add these ciphers back and enable them

You can use the following PowerShell code to add these ciphers back and enable them. After running, the script calls out that you need to reboot also for these changes to take effect.

$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002"
$currentCiphers = (Get-ItemProperty -Path $regPath).Functions

# Legacy cipher suites for SQL 2005
$legacySuites = @(
    "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
    "TLS_RSA_WITH_RC4_128_SHA",
    "TLS_RSA_WITH_RC4_128_MD5"
)

# Add missing cipher suites to the SSL Functions list
$missing = $legacySuites | Where-Object { $_ -notin $currentCiphers }
if ($missing.Count -gt 0) {
    Write-Output "Adding missing cipher suites: $($missing -join ', ')"
    $newList = $currentCiphers + $missing
    Set-ItemProperty -Path $regPath -Name "Functions" -Value $newList
} else {
    Write-Output "All required cipher suites already present."
}

# Enable legacy cipher algorithms in SCHANNEL
$cipherPaths = @(
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128",
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128",
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128",
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128",
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168"
)

foreach ($path in $cipherPaths) {
    if (-not (Test-Path $path)) {
        New-Item -Path $path -Force | Out-Null
    }
    Set-ItemProperty -Path $path -Name "Enabled" -Value 1 -Type DWord
}

Write-Output "Legacy ciphers are now enabled. Please reboot to apply changes."
This topic was modified 1 week ago by Brandon Lee
Topic Tags
windows 11 24h2 ssl legacy ciphers
Forum Jump:
  Previous Topic
Topic Tags:  windows 11 24h2 (1) , ssl (1) , legacy ciphers (1) ,