SSL Cipher Suite Order

This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).

If you enable this policy setting SSL cipher suites are prioritized in the order specified.

If you disable or do not configure this policy setting the factory default cipher suite order is used.


  • SSL2 SSL3 TLS 1.0 and TLS 1.1 cipher suites:
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_RC4_128_SHA
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
    • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    • TLS_RSA_WITH_RC4_128_MD5
    • SSL_CK_RC4_128_WITH_MD5
    • SSL_CK_DES_192_EDE3_CBC_WITH_MD5
    • TLS_RSA_WITH_NULL_SHA
    • TLS_RSA_WITH_NULL_MD5
  • TLS 1.2 SHA256 and SHA384 cipher suites:
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
    • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_NULL_SHA256
  • TLS 1.2 ECC GCM cipher suites:
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521


How to modify this setting:

  1. Open a blank notepad document.
  2. Copy and paste the list of available suites into it.
  3. Arrange the suites in the correct order; remove any suites you don't want to use.
  4. Place a comma at the end of every suite name except the last. Make sure there are NO embedded spaces.
  5. Remove all the line breaks so that the cipher suite names are on a single long line.
  6. Copy the cipher-suite line to the clipboard then paste it into the edit box.

The maximum length is 1023 characters.

Policy path: 

Network\SSL Configuration Settings

Scope: 

Machine

Supported on: 

At least Windows Vista

Registry settings: 

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!Functions

Filename: 

CipherSuiteOrder.admx