Articles‎ > ‎

If you prefer AES 256 over AES 128

posted Sep 5, 2012, 1:32 PM by Ondřej Pšenčík   [ updated Sep 5, 2012, 1:35 PM ]
SSL security parameters are negotiated after connection is established, default first choice in Windows Schannel is AES 128 for encryption, fortunately it is easy to configure it if one wants to.
Start Group Policy Editor (gpedit.msc) and locate SSL Configuration Settings - see picture below.


Open SSL Cipher Suite Order, select enabled and redefine order of suites to reflect your wishes (i.e. put AES 256 first) - I used notepad - copied existing text there, made modifications and copied it back into that miniature edit field.
 

It looks like suites are enabled, so you do not need to modify registry to enable them. Local Sync outputs result of negotiation in the main log so you can see negotiated security parameters, e.g. in my case


In case of Local Sync program it makes sense to use stronger encryption in case you are using own certificate, not built in certificate.