9

When I disable the cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 in powershell of windows server, I got this error message

Disable-TlsCipherSuite : Exception from HRESULT: 0xD0000225
At line:1 char:1
+ Disable-TlsCipherSuite -Name "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Disable-TlsCipherSuite], COMException
    + FullyQualifiedErrorId : Exception from HRESULT: 0xD0000225,Microsoft.WindowsAuthenticationProtocols.Commands.RemoveTlsCipherSuiteCommand

What does the error mean and how to fix it? Thank you for any suggestion.

funbrain9
  • 503
  • 6
  • 15
  • Interesting. HRESULT is interpreted as 0xD (severe failure, NT status bit set) and the error is 0x0225 which is stated to be [ERROR_INSTRUCTION_MISALIGNMENT (0x225)] aka some code is not properly aligned in memory. Either you've discovered a bug in cryptography which is masked because the ciphersuite affected is not used in favor of AES256/SHA384, or there is some internal protection at work, like if disabling this ciphersuite would seriously break say Microsoft signature verification or similar Windows-important process. – Vesper Dec 09 '20 at 13:02
  • Anyone? Im getting same error with this Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_CBC_SHA" – user584572 Feb 16 '21 at 03:26

2 Answers2

6

The error simply indicate the cipher is already disabled....

try Enable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and Disable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 no error should appear

Michael
  • 8,362
  • 6
  • 61
  • 88
Cricou
  • 76
  • 1
  • 3
  • 4
    My question is why Get-TlsCipherSuite still returns it if it's disabled – Igor Pashchuk Mar 19 '21 at 19:45
  • 1
    I have the same question – TheMah Apr 13 '21 at 05:51
  • Run the Powershell as administrator and try it. – ArunSK Jul 13 '21 at 18:02
  • @IgorPashchuk What if you first enable the Group Policy variable for the cipher suite order? If it's disabled, I don't think changes will be applied—the default order and _all available ciphers_ will be used. Its hierarchy is: Local Computer Policy › Administrative Template › Network › SSL Configuration Settings › SSL Cipher Suite Order – Michael Oct 23 '21 at 21:36
  • It returns if it is disabled because the cipher suite may be *installed* but not *in use*. I do think the Powershell cmdlet for this should simply return an informative message like "Suite disabled" rather than the cryptic 0xD0000225. – David W Nov 30 '22 at 12:39
3

Run the Powershell as administrator and try it

It worked for me.

ArunSK
  • 331
  • 2
  • 4