We need to perform an SSL hardening exercise on Windows 2003, and need an inconsistency cleared up.
The community article from January this year (Windows 2003 Server SP2 (IIS 6) Best Cipher Suites, HotFix, Nartac, and Descrepancies) suggests a specific process to add the following two new ciphers:
- TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
- TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
The critical security update MS14-066 (November 2014) installed schannel.dll version 5.2.3790.5462 for Windows 2003 - while KB948963 will install schannel.dll 5.2.3790.4313, a lower version back on top of this.
It seems that if the process in the linked community article will resolve our issue with missing ciphers, but reintroduce the issue resolved under MS14-066.
Please can someone confirm if there is a way to keep the now current updates and still enable the AES ciphers in Windows 2003.