I have a small project where I have to query about 1800 servers on Server 2012 R2 and want to see if they have TLS 1.2 AND the specific cipher suites that I need enabled on the server AND enabled.
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Using Get-TlsCipherSuite in Server 2016 works as expected, but that is not available in Server 2012 R2.
For Server 2012 R2 I was trying to use this call:
Get-ItemPropertyValue -Path HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 -Name Functions
But it shows that it is installed, but not it's state. I need to confirm if it is actually enabled and not just installed. The above call doesn't do that, and I can not find where the 'flag' is to show that the item is enabled.
Any help would be appreciated.
In my use case I found that the following reliably indicated whether or not the target cipher suites were present and enabled on OS 2012r2
$osVer=(Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion")
if (($osVer).GetValue('ProductName') -like "*2012*") {
Write-Host "detected OS: 2012"
$2012suites = ((Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002").Functions).split(",")
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" | ForEach-Object {
if ($_ -in $2012suites) {
Write-Host "Present: $_" -ForegroundColor Green
} else {
Write-Host "Missing: $_" -ForegroundColor Red
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.