Vhtforums
AI Assistant
Forums
VHT Forums
Microsoft Windows
Add legacy SSL ciph...
 
Notifications
Clear all

[Solved] Add legacy SSL ciphers back to Windows 11 24H2

 
Microsoft Windows
Last Post by Brandon Lee 1 year ago
1 Posts
1 Users
0 Reactions
2,745 Views
RSS
Brandon Lee
Posts: 690
 Brandon Lee
Admin
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
Apr 17, 2025 11:24 am
(@brandon-lee)
Member
Joined: 16 years ago
[#449]

One issue I have found in troubleshooting a connection to a legacy SQL Server is that Windows 11 24H2 seems to have deprecated legacy ciphers even further than previous versions of Windows 11. Now, the ciphers are not even there. Previously I could launch IIS Crypto and enable all the legacy ciphers, but this didn't work in 24H2. So, I set about looking to see what had changed. 

Apparently, Windows 11 24H2 removes the following ciphers:

  • TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • TLS_RSA_WITH_RC4_128_SHA

  • TLS_RSA_WITH_RC4_128_MD5

So, these have to be added back and enabled.

PowerShell code to add these ciphers back and enable them

You can use the following PowerShell code to add these ciphers back and enable them. After running, the script calls out that you need to reboot also for these changes to take effect.

$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002"
$currentCiphers = (Get-ItemProperty -Path $regPath).Functions

# Legacy cipher suites for SQL 2005
$legacySuites = @(
    "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
    "TLS_RSA_WITH_RC4_128_SHA",
    "TLS_RSA_WITH_RC4_128_MD5"
)

# Add missing cipher suites to the SSL Functions list
$missing = $legacySuites | Where-Object { $_ -notin $currentCiphers }
if ($missing.Count -gt 0) {
    Write-Output "Adding missing cipher suites: $($missing -join ', ')"
    $newList = $currentCiphers + $missing
    Set-ItemProperty -Path $regPath -Name "Functions" -Value $newList
} else {
    Write-Output "All required cipher suites already present."
}

# Enable legacy cipher algorithms in SCHANNEL
$cipherPaths = @(
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128",
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128",
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128",
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128",
    "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168"
)

foreach ($path in $cipherPaths) {
    if (-not (Test-Path $path)) {
        New-Item -Path $path -Force | Out-Null
    }
    Set-ItemProperty -Path $path -Name "Enabled" -Value 1 -Type DWord
}

Write-Output "Legacy ciphers are now enabled. Please reboot to apply changes."

Topic Tags
windows 11 24h2 ssl legacy ciphers
Forum Jump:
  Previous Topic
Topic Tags:  windows 11 24h2 (1) , ssl (1) , legacy ciphers (1) ,