Get-TlsCipherSuite (TLS) (2024)

Reference

Module:: TLS

Syntax

Get-TlsCipherSuite [[-Name] <String>] [<CommonParameters>]

Description

The Get-TlsCipherSuite cmdlet gets an ordered collection of cipher suites for a computer thatTransport Layer Security (TLS) can use.

For more information about the TLS cipher suites, see the documentation for theEnable-TlsCipherSuite cmdlet or type Get-Help Enable-TlsCipherSuite.

For more information about protocol versions , see BCRYPT_KDF_TLS_PRF (L"TLS_PRF").

Examples

Example 1: Get all cipher suites

Get-TlsCipherSuiteKeyType : 0Certificate : RSAMaximumExchangeLength : 65536MinimumExchangeLength : 0Exchange : ECDHHashLength : 0Hash :CipherBlockLength : 16CipherLength : 256BaseCipherSuite : 49200CipherSuite : 49200Cipher : AESName : TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384Protocols : {771}KeyType : 0Certificate : RSAMaximumExchangeLength : 65536MinimumExchangeLength : 0Exchange : ECDHHashLength : 0Hash :CipherBlockLength : 16CipherLength : 128BaseCipherSuite : 49199CipherSuite : 49199Cipher : AESName : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256Protocols : {771}

This command gets all TLS cipher suites for the computer.

Example 2: Get the cipher suites that match a string

Get-TlsCipherSuite -Name AESKeyType : 0Certificate : ECDSAMaximumExchangeLength : 65536MinimumExchangeLength : 0Exchange : ECDHHashLength : 0Hash :CipherBlockLength : 16CipherLength : 256BaseCipherSuite : 49196CipherSuite : 49196Cipher : AESName : TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384Protocols : {771, 65277}KeyType : 0Certificate : ECDSAMaximumExchangeLength : 65536MinimumExchangeLength : 0Exchange : ECDHHashLength : 0Hash :CipherBlockLength : 16CipherLength : 128BaseCipherSuite : 49195CipherSuite : 49195Cipher : AESName : TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256Protocols : {771, 65277}

This command gets all the cipher suites that have names that contain the string AES. Note that thename match is case sensitive and this command returns no output for the name aes. The outputincludes a field for the TLS/SSL protocols supported by the cipher. SeeCipher Suites in TLS/SSL (Schannel SSP) formore information.

Parameters

-Name

Specifies the name of the TLS cipher suite to get. The cmdlet gets cipher suites that match thestring that this cmdlet specifies, so you can specify a partial name. The name match is casesensitive.

Type:	String
Position:	1
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

FAQs

What is get TlsCipherSuite? ›

Description. The Get-TlsCipherSuite cmdlet gets an ordered collection of cipher suites for a computer that Transport Layer Security (TLS) can use.

Read On ›

How do I check my TLS 1.2 cipher suite? ›

Find the cipher using Chrome

Launch Chrome.
Enter the URL you wish to check in the browser.
Click on the ellipsis located on the top-right in the browser.
Select More tools > Developer tools > Security.
Look for the line "Connection...". This will describe the version of TLS or SSL used.

Mar 1, 2023

Discover More Details ›

How to enable TLS 1.2 in PowerShell? ›

Configure TLS 1.2 for current PowerShell session

Run PowerShell as administrator.
To set TLS 1.2 for the current PowerShell session, type: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12.

May 24, 2023

Why is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 considered weak? ›

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 may show up as weak when you performed an SSL report test. This is due to known attacks toward OpenSSL implementation. Dataverse uses Windows implementation that is not based on OpenSSL and therefore is not vulnerable.

See Details ›

What does disable TlsCipherSuite do? ›

The Disable-TlsCipherSuite cmdlet disables a cipher suite. This cmdlet removes the cipher suite from the list of Transport Layer Security (TLS) protocol cipher suites for the computer.

Find Out More ›

Does disable TlsCipherSuite require a reboot? ›

The really nice thing about using these PowerShell cmdlets to manipulate the ciphersuites is there is no need to reboot. Basically, if a ciphersuite is not in the list $csOk, then the ciphersuite is disabled. After running this, run Get-TlsCipherSuite one more time and you'll see the reduced list.

Tell Me More ›

How do I check my TLS level? ›

For Chrome

Open the Developer Tools (Ctrl+Shift+I)
Select the Security tab.
Navigate to the WebAdmin or Cloud Client portal.
Under Security, check the results for the section Connection to check which TLS protocol is used.

Jul 5, 2024

Show Me More ›

How do I check my TLS 1.2 compliance? ›

Here are the steps to test your TLS 1.2 compliance using CURL command on a Linux machine:

Test default CURL TLS choice: curl -k 'https://test-tls12.messagemedia.com' ...
Test CURL with force TLS 1.2: curl -k --tlsv1.2 --tls-max 1.2 'https://test-tls12.messagemedia.com'

More items...

Jun 13, 2023

Explore More ›

What is the vulnerability of TLS 1.2 cipher suites? ›

Several of the cipher suites in TLS 1.2 have vulnerabilities, for example:

RC4.
DSA.
MD5.
SHA1.
Weak Elliptic Curves.
RSA Key Exchange.
Static Diffie-Hellman (DH, ECDH)
Triple DES (3DES)

Mar 9, 2024

How to check TLS from PowerShell? ›

Check-or-Enable-TLS-1.2-with-PowerShell

x64: Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Type DWord -Value '1'
x86. Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Type DWord -Value '1'

Show Me More ›

How to check TLS version in Windows command prompt? ›

Explanation:

Open the Command Prompt by pressing the Windows key + R, typing 'cmd', and pressing Enter.
In the Command Prompt, type 'reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault' and press Enter.

More items...

Nov 19, 2023

Read The Full Story ›

How do I enable TLS 1.2 and TLS 1.3 on Windows 10? ›

To set the protocols to be used for secure connections,

Press Windows key + R to open a Run box, type control and press Enter.
Find Internet Properties and open the dialogue.
On the Advanced tab, scroll down to the Security section and select TLS 1.2 and TLS 1.3.

Oct 9, 2020

See Details ›

Which TLS 1.2 ciphers are weak? ›

A cipher suite is identified as obsolete when one or more of the mechanisms is weak. Especially weak encryption algorithms in TLS 1.2 are designated as NULL, RC2, RC4, DES, IDEA, and TDES/3DES; cipher suites using these algorithms should not be used9.

Get More Info Here ›

How do I enable TLS 1.2 Strong cipher suites? ›

Run a script to enable TLS 1.2 strong cipher suites

Log in to the manager.
Click Administration at the top.
On the left, click Scheduled Tasks.
In the main pane, click New.
The New Scheduled Task Wizard appears.
From the Type drop-down list, select Run Script.

More items...

Is TLS_AES_256_GCM_SHA384 secure? ›

Security level 7 allows only the cipher suite TLS_AES_256_GCM_SHA384, which the NIST recommends for Federal Information Processing Standards (FIPS) mode.

What is TLS hostname verification? ›

Hostname verification is a little known part of HTTPS that involves a server identity check to ensure that the client is talking to the correct server and has not been redirected by a man in the middle attack.

View Details ›

What TLS is my browser using? ›

Under Security, check the Connection and Protocol version to check which TLS protocol is used.

What are TLS ciphers used for? ›

A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or its deprecated predecessor Secure Socket Layer (SSL).

Learn More ›

Which TLS am I using? ›

Checking Your Browser

Under "Protocol Support," you'll see a list of all TLS versions, from TLS 1.0 to TLS 1.3. Your browser's supported versions are labeled "Enabled" with a green checkmark.

Discover More Details ›