TLS Cipher Suites in Windows 10 v1803 - Win32 apps (2024)

Table of Contents
In this article Feedback Feedback In this article FAQs

[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]

Cipher suites can only be negotiated for TLS versions which support them. The highest supported TLS version is always preferred in the TLS handshake.

Availability of cipher suites should be controlled in one of two ways:

  • Default priority order is overridden when a priority list is configured. Cipher suites not in the priority list will not be used.
  • Allowed when the application passes SCH_USE_STRONG_CRYPTO: The Microsoft Schannel provider will filter out known weak cipher suites when the application uses the SCH_USE_STRONG_CRYPTO flag. RC4, DES, export and null cipher suites are filtered out.

Important

HTTP/2 web services fail with non-HTTP/2-compatible cipher suites. To ensure your web services function with HTTP/2 clients and browsers, see How to deploy custom cipher suite ordering.

FIPS-compliance has become more complex with the addition of elliptic curves making the FIPS mode enabled column in previous versions of this table misleading. For example, a cipher suite such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is only FIPS-compliant when using NIST elliptic curves. To find out which combinations of elliptic curves and cipher suites will be enabled in FIPS mode, see section 3.3.1 of Guidelines for the Selection, Configuration, and Use of TLS Implementations.

For Windows10, version 1803, the following cipher suites are enabled and in this priority order by default using the Microsoft Schannel Provider:

Cipher suite stringAllowed by SCH_USE_STRONG_CRYPTOTLS/SSL Protocol versions
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Yes
TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Yes
TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Yes
TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Yes
TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Yes
TLS 1.2
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Yes
TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Yes
TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Yes
TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Yes
TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Yes
TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_RSA_WITH_AES_256_GCM_SHA384
Yes
TLS 1.2
TLS_RSA_WITH_AES_128_GCM_SHA256
Yes
TLS 1.2
TLS_RSA_WITH_AES_256_CBC_SHA256
Yes
TLS 1.2
TLS_RSA_WITH_AES_128_CBC_SHA256
Yes
TLS 1.2
TLS_RSA_WITH_AES_256_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_RSA_WITH_AES_128_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_RSA_WITH_NULL_SHA256
Only used when application explicitly requests.
No
TLS 1.2
TLS_RSA_WITH_NULL_SHA
Only used when application explicitly requests.
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

The following cipher suites are supported by the Microsoft Schannel Provider, but not enabled by default:

Cipher suite stringAllowed by SCH_USE_STRONG_CRYPTOTLS/SSL Protocol versions
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Yes
TLS 1.2
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Yes
TLS 1.2
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Yes
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_RC4_128_SHA
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_RC4_128_MD5
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_DES_CBC_SHA
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_DHE_DSS_WITH_DES_CBC_SHA
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_NULL_MD5
Only used when application explicitly requests.
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_EXPORT_WITH_RC4_40_MD5
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
No
TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

The following PSK cipher suites are enabled and in this priority order by default using the Microsoft Schannel Provider:

Cipher suite stringAllowed by SCH_USE_STRONG_CRYPTOTLS/SSL Protocol versions
TLS_PSK_WITH_AES_256_GCM_SHA384
Yes
TLS 1.2
TLS_PSK_WITH_AES_128_GCM_SHA256
Yes
TLS 1.2
TLS_PSK_WITH_AES_256_CBC_SHA384
Yes
TLS 1.2
TLS_PSK_WITH_AES_128_CBC_SHA256
Yes
TLS 1.2
TLS_PSK_WITH_NULL_SHA384
No
TLS 1.2
TLS_PSK_WITH_NULL_SHA256
No
TLS 1.2

Note

No PSK cipher suites are enabled by default. Applications need to request PSK using SCH_USE_PRESHAREDKEY_ONLY. For more information on Schannel flags, see SCHANNEL_CRED.

To add cipher suites, either deploy a group policy or use the TLS cmdlets:

  • To use group policy, configure SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all cipher suites you want enabled.
  • To use PowerShell, see TLS cmdlets.

Note

Prior to Windows10, cipher suite strings were appended with the elliptic curve to determine the curve priority. Windows10 supports an elliptic curve priority order setting so the elliptic curve suffix is not required and is overridden by the new elliptic curve priority order, when provided, to allow organizations to use group policy to configure different versions of Windows with the same cipher suites.

Feedback

Was this page helpful?

Provide product feedback|

Feedback

Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.

Submit and view feedback for

This product This page

TLS Cipher Suites in Windows 10 v1803 - Win32 apps (2024)

FAQs

How do I know if an app is using TLS? ›

5 Easy Steps to Use TLSVerify to Test TLS Connections for Mobile Apps
  1. Launch the TLSVerify app.
  2. Enter the server URL that your app is connecting during its run time.
  3. Click on the UIWebView browser.
  4. The requested browser will be opened and you will be redirected to the entered server URL.
Jan 24, 2024

Read On
How to check TLS ciphers in Windows? ›

Find the cipher using Chrome
  1. Launch Chrome.
  2. Enter the URL you wish to check in the browser.
  3. Click on the ellipsis located on the top-right in the browser.
  4. Select More tools > Developer tools > Security.
  5. Look for the line "Connection...". This will describe the version of TLS or SSL used.
Mar 1, 2023

Discover More Details
What versions of TLS are supported by Windows 10? ›

TLS protocol version support
Windows OSTLS 1.0 ClientTLS 1.2 Server
Windows 10, version 1709EnabledEnabled
Windows 10, version 1803EnabledEnabled
Windows 10, version 1809/Windows Server 2019EnabledEnabled
Windows 10, version 1903EnabledEnabled
19 more rows
Jan 31, 2024

Continue Reading
Where are TLS settings in Windows 10? ›

Troubleshooting Tip: how to enable TLS 1.3 in Windows 10
  1. Open the 'Run' Windows by inputting 'Win + R' and type 'inetcpl. cpl' to execute 'Internet Properties'.
  2. Browse to the 'Advanced' section and check 'Use TLS 1.3 (experimental)' to enable TLS 1.3.
Oct 6, 2023

See Details
How do I know if TLS is enabled Windows 10? ›

How to check which TLS protocol is being used
  1. Press Windows + R to open the Run box.
  2. Type inetcpl. cpl and then select OK. Then, the Internet Properties window is opened.
  3. In the Internet Properties window, select the Advanced tab and scroll down to check the settings related to TLS.
Apr 11, 2024

Find Out More
How do I know if TLS is enabled in Windows? ›

Select Start > Settings > System > About. Open About settings. Under Windows specifications, check which edition and version of Windows your device is running. If your operating system was manually changed to disable TLS 1.2 for some reason, you can verify or configure your system for TLS 1.2.

Tell Me More
What is the difference between TLS and cipher suite? ›

In cryptography, a cipher is an algorithm that lays out the general principles of securing a network through TLS (the security protocol used by modern SSL certificates). A cipher suite comprises several ciphers working together, each having a different cryptographic function, such as key generation and authentication.

Show Me More
How do I get TLS cipher suite? ›

The Get-TlsCipherSuite cmdlet gets an ordered collection of cipher suites for a computer that Transport Layer Security (TLS) can use. For more information about the TLS cipher suites, see the documentation for the Enable-TlsCipherSuite cmdlet or type Get-Help Enable-TlsCipherSuite .

Explore More
How to add cipher suites in Windows 10? ›

To add cipher suites, either deploy a group policy or use the TLS cmdlets: To use group policy, configure SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all cipher suites you want enabled.

Continue Reading
How do I know which TLS version is used by an application? ›

For Chrome
  1. Open the Developer Tools (Ctrl+Shift+I)
  2. Select the Security tab.
  3. Navigate to the WebAdmin or Cloud Client portal.
  4. Under Security, check the results for the section Connection to check which TLS protocol is used.
Sep 6, 2023

Show Me More

How do I know which TLS version I support? ›

Go to https://browserleaks.com/tls to check your TLS version. This site will evaluate your current web browser (including Chrome, Safari, and Edge) and report which versions of TLS it supports. Under "Protocol Support," you'll see a list of all TLS versions, from TLS 1.0 to TLS 1.3.

Read The Full Story
How do I know which version of TLS is being used? ›

Enter the URL you wish to check in the browser. Right-click the page or select the Page drop-down menu, and select Properties. In the new window, look for the Connection section. This will describe the version of TLS or SSL used.

See Details
How do I fix TLS security settings in Windows 10? ›

The fix is easy: In the windows search box, near the Windows Start button, type Internet Options. Open the result Internet options - control panel. Then click the Advanced tab. Scroll down in the long list to security and make sure use TLS 1.2 is checked.

Get More Info Here
How to check cipher suites in Windows Server? ›

Do the following to specify the allowed cipher suites:
  1. Open regedit.exe and go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002.
  2. Edit the Functions key, and set its value to the list of Cipher Suites that you want to allow. ...
  3. Restart the PVWA server.

Continue Reading
How to check cipher suites in Windows Server Registry? ›

The following registry keys are located in the same location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. Use the Registry Editor or PowerShell to enable or disable these protocols and cipher suites.

View More
How do I find the TLS version of an application? ›

Go to https://browserleaks.com/tls to check your TLS version. This site will evaluate your current web browser (including Chrome, Safari, and Edge) and report which versions of TLS it supports. Under "Protocol Support," you'll see a list of all TLS versions, from TLS 1.0 to TLS 1.3.

View Details
What applications use TLS? ›

A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP). In this article we will focus on the role of TLS in web application security.

See More
Do apps use TLS? ›

Mobile applications do not protect network traffic all the time, though they use SSL/TLS Certificate during authentication but not elsewhere.

Learn More
How do I know if a website is TLS? ›

Enter the URL you wish to check in the browser. Right-click the page or select the Page drop-down menu, and select Properties. In the new window, look for the Connection section. This will describe the version of TLS or SSL used.

Discover More Details
Top Articles
How to Bypass IP Ban: Techniques and Tips
A Distributed Algorithm for Fast Mining Frequent Patterns in Limited and Varying Network Bandwidth Environments
2006 Dodge Ram 2500 ST 4dr Quad Cab diesel for sale - Portland, OR - craigslist
Near 8063 S Cicero Ave, Chicago, US
Latest Posts
VALORANT Systems Health Series - Smurf Detection
Are VPNs legal? Reasons why they might be illegal
Article information

Author: Carlyn Walter

Last Updated:

Views: 6071

Rating: 5 / 5 (70 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Carlyn Walter

Birthday: 1996-01-03

Address: Suite 452 40815 Denyse Extensions, Sengermouth, OR 42374

Phone: +8501809515404

Job: Manufacturing Technician

Hobby: Table tennis, Archery, Vacation, Metal detecting, Yo-yoing, Crocheting, Creative writing

Introduction: My name is Carlyn Walter, I am a lively, glamorous, healthy, clean, powerful, calm, combative person who loves writing and wants to share my knowledge and understanding with you.