How to disable curve25519 / x25519 key exchange on Windows Server 2016

If you are using a Palo Alto firewall to do inbound SSL decryption, you might have run in to issues with decryption on Windows Server 2016 running IIS.

For us, this was due to the server using a key exchange not supported for SSL decryption in PANOS 8.1.

You probably don’t want to disable all ECDH key exchanges, so this one will just disable x25519 and will allow your Palo Alto firewall to do decryption.

Open up Powershell, type the following command:

Disable-TlsEccCurve -Name curve25519

If you run Get-TlsEccCurve before and after running the command you should be able to see if it’s been disabled or not.

After a reboot, IIS should not use x25519 for encryption.

For a complete list of supported ciphers in PANOS 8.1, see Palo Alto’s documentation.

The following two tabs change content below.

Arve

Norway
Sysadmin. Firewalls, networking, AD, oh my!

Skrevet av

Arve

Sysadmin. Firewalls, networking, AD, oh my!

Legg igjen en kommentar

Din e-postadresse vil ikke bli publisert. Obligatoriske felt er merket med *

Dette nettstedet bruker Akismet for å redusere spam. Lær om hvordan dine kommentar-data prosesseres.