Skip to main content
Skip table of contents

Disabling Diffie–Hellman key exchange algorithm for the Terminal Server service

Important Notice
This article is intended only for use when explicitly recommended by Y Soft for specific troubleshooting scenarios in controlled or restricted environments.
Misconfiguration or unintended changes may result in critical security vulnerabilities or system instability. Proceed with caution and only under guidance from authorized Y Soft personnel.

Diffie–Hellman key exchange algorithm (also referred as DH/DHE/EDH/ECDHE) is one of possible ways how to securely exchange cryptographic keys over the network. It is considered to be one of the most secure options at the moment.

The captured network communication secured this way may not be decrypted using a private key, which may complicate troubleshooting of complex issues. This article describes how to disable the algorithm. Without Diffie-Hellman the SSL/TLS communication will be still encrypted but via less secure methods. Therefore it is recommended to disable it only when absolutely necessary.

Steps to follow:

On Windows you can disable DH key exchange algorithm via system registry:

  1. Run PowerShell under administrative account.

  2. Back up existing registry.
    Note: backup.reg is stored on the desktop of user launching the command.

    POWERSHELL 
    reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms $([Environment]::GetFolderPath("Desktop")+'\backup.reg')

  3. Disable Diffie-Hellman and ECDH.

    • Either use PowerShell script

      POWERSHELL 
      $regroot = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms'
$keyarray = $($regroot+'\Diffie-Hellman'), $($regroot+'\ECDH')
foreach ($key in $keyarray) {
    if (!(Test-Path $key)) { New-Item -Path $key | Out-Null}
    Set-ItemProperty -Path $key -Name 'Enabled' -Type 'DWord' -Value 0
    if ( $(Get-ItemPropertyValue -Path $key -Name 'Enabled') -eq 0) { $key.Split('\')[-1] + ' deactivated' }
}

    • Or create DHdisable.reg with the following content and run it by double-click

      TEXT 
      Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
"Enabled"=dword:00000000

  4. Restart the Terminal Server service.

  5. Use SSLscan tool to verify the cipher suites related to DH are now disabled for example by scanning Terminal Server port 5012

The registry modification disables Diffie–Hellman ciphers for the whole machine, thus, no communication links dependent on the operating system settings will be able to use them.

The modification through domain group policies may be required in case the server with YSoft SafeQ is connected to the domain. We have seen cases where the modification on the server had no effect. This situation may happen when domain policy is overriding the configuration, such situation has to be resolved in cooperation with the domain administrator.

Once it is no longer needed to keep DH disabled for troubleshooting purposes, restore the original settings:

  1. delete modified registry key by PowerShell command launched with administrative rights

    POWERSHELL 
    Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms" -Recurse

  2. restore the original registry by double-clicking backup.reg

  3. reboot the server

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close