Microsoft Security Advisory 3042058

Update to Default Cipher Suite Priority Order

Published: May 12, 2015 | Updated: October 13, 2015

Version: 1.1

On May 12, 2015, Microsoft announced the availability of an update to cryptographic cipher suite prioritization in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The update added additional cipher suites to the default list on affected systems and improved cipher suite priority ordering. The improvements were in keeping with ongoing efforts to bolster the effectiveness of encryption in Windows operating systems.

Microsoft initially offered the update via the Microsoft Download Center (DLC) only in order to give customers the opportunity to test the new features before making them a default part of their environments.

With the October 13, 2015 revision of this advisory, Microsoft is announcing that in addition to the DLC option, the 3042058 update is now also available via Microsoft Update (MU) and Windows Server Update Services (WSUS).

For additional details and deployment guidance, see Microsoft Knowledge Base Article 3042058.

Operating System

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for x64-based Systems

Windows Server 2012

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012 R2

Server Core installation option

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)

What is the scope of the advisory? 
The purpose of this advisory is to notify customers of an available update that is part of Microsoft’s ongoing efforts to bolster the effectiveness of security controls in Windows.

What does the update do? 
The update adds the following cryptographic cipher suites to the default list in all affected operating systems and includes improvements to the cipher suite priority ordering.

Cipher Suites Added by the Update

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

What do these cipher suites do? 
The cipher suites add support for Perfect Forward Secrecy (PFS). While providing enhanced security, PFS could have a noticeable effect on system performance in some scenarios due to its higher computing requirements. For more information, see Microsoft Knowledge Base Article 3042058.

What internal testing should be done with respect to this update? 
Any applications, including Internet Explorer, IIS, SQL Server, or Exchange Server, that use Schannel to implement or negotiate SSL/TLS connections should be tested thoroughly. Especially scenarios where a large number of simultaneous connections are made, such as with web or database servers that host many users, or edge servers that handle many secure connections and forward them to internal servers. All existing SSL/TLS applications should behave as expected. Note that although the new cipher suites are more secure, they are likely to be more resource intensive. Therefore, customers should test for an increase in resource consumption when the number of SSL/TLS connections scales up (in both server and client scenarios).

Feedback

Support

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (May 12, 2015): Advisory published.
  • V1.1 (October 13, 2015): Advisory revised to announce that the Default Cipher Suite Prioritization update (3042058), originally released May 12, 2015 via the Microsoft Download Center (DLC) only, is now also available via Microsoft Update (MU) and Windows Server Update Services (WSUS). This is an update offering venue change only. There were no changes to the update files. Customers who have already successfully installed the update do not need to take any action.

Page generated 2015-10-07 11:07-07:00.
Show: