Skip to content

Instantly share code, notes, and snippets.

@JimWolff

JimWolff/bbp_http2fs_win2k16-2018-03-12.ictpl

Last active November 19, 2020 10:09
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JimWolff/d8ea8ee58360f75c9283c6d74165774b to your computer and use it in GitHub Desktop.
Save JimWolff/d8ea8ee58360f75c9283c6d74165774b to your computer and use it in GitHub Desktop.
Download ZIP
IISCrypto template optimized for windows server 2016 to enable http2 and disable blacklisted ciphersuites plus updated with newest weak ciphers disabled (this template is used in my autofix ssl script here: https://gist.github.com/JimWolff/fc35d863db8971b2a73c96f90c5002e4 )
Raw
bbp_http2fs_win2k16-2018-03-12.ictpl
<?xml version="1.0" encoding="utf-16"?>
<iisCryptoTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="0">
<header>
<name>Best Practice, prio HTTP/2, FS</name>
<author>Jim Wolff</author>
<lastUpdated>2018-03-12T12:45:11.0463186Z</lastUpdated>
<description>Using best practises, but TLS_ECDHE_ECDSA is prioritesed because its needed for http/2 not to use blacklisted cipher suites, prioriteses suites to ensure FS</description>
<builtIn>false</builtIn>
</header>
<schannel setClientProtocols="true">
<clientProtocols>
<schannelItem name="Multi-Protocol Unified Hello" state="Disabled" />
<schannelItem name="PCT 1.0" state="Disabled" />
<schannelItem name="SSL 2.0" state="Disabled" />
<schannelItem name="SSL 3.0" state="Disabled" />
<schannelItem name="TLS 1.0" state="Enabled" />
<schannelItem name="TLS 1.1" state="Enabled" minimumOSVersion="Windows2008R2" />
<schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" />
</clientProtocols>
<serverProtocols>
<schannelItem name="Multi-Protocol Unified Hello" state="Disabled" />
<schannelItem name="PCT 1.0" state="Disabled" />
<schannelItem name="SSL 2.0" state="Disabled" />
<schannelItem name="SSL 3.0" state="Disabled" />
<schannelItem name="TLS 1.0" state="Enabled" />
<schannelItem name="TLS 1.1" state="Enabled" minimumOSVersion="Windows2008R2" />
<schannelItem name="TLS 1.2" state="Enabled" minimumOSVersion="Windows2008R2" />
</serverProtocols>
<ciphers>
<schannelItem name="NULL" state="Disabled" />
<schannelItem name="DES 56/56" state="Disabled" />
<schannelItem name="RC2 40/128" state="Disabled" />
<schannelItem name="RC2 56/128" state="Disabled" />
<schannelItem name="RC2 128/128" state="Disabled" />
<schannelItem name="RC4 40/128" state="Disabled" />
<schannelItem name="RC4 56/128" state="Disabled" />
<schannelItem name="RC4 64/128" state="Disabled" />
<schannelItem name="RC4 128/128" state="Disabled" />
<schannelItem name="Triple DES 168" state="Enabled" />
<schannelItem name="AES 128/128" state="Enabled" />
<schannelItem name="AES 256/256" state="Enabled" />
</ciphers>
<hashes>
<schannelItem name="MD5" state="Enabled" />
<schannelItem name="SHA" state="Enabled" />
<schannelItem name="SHA 256" state="Enabled" minimumOSVersion="Windows2008R2" />
<schannelItem name="SHA 384" state="Enabled" minimumOSVersion="Windows2008R2" />
<schannelItem name="SHA 512" state="Enabled" minimumOSVersion="Windows2008R2" />
</hashes>
<keyExchanges>
<schannelItem name="Diffie-Hellman" state="Enabled" />
<schannelItem name="PKCS" state="Enabled" />
<schannelItem name="ECDH" state="Enabled" />
</keyExchanges>
</schannel>
<cipherSuites>
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" state="Enabled" />
<cipherSuiteItem name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" state="Enabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_GCM_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_GCM_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_256_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_AES_128_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_3DES_EDE_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_256_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_AES_128_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_RC4_128_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_RC4_128_MD5" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_RSA_WITH_NULL_SHA" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_AES_256_GCM_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_AES_128_GCM_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_AES_256_CBC_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_AES_128_CBC_SHA256" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_NULL_SHA384" state="Disabled" />
<cipherSuiteItem name="TLS_PSK_WITH_NULL_SHA256" state="Disabled" />
</cipherSuites>
</iisCryptoTemplate>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment