Disabling SHA-1

This is not recommended unless requested explicitly. Disabling SHA-1 on Windows Server results in a great number of incompatible clients!

SHA-1 hash function was deprecated by CA/B Forum due to the consideration that this hash function became practically vulnerable to collision attacks. At the time of writing, Google Chrome treats the connection as the one secured by obsolete cryptography, if the negotiated cipher suite implies SHA-1 hash function for message authentication.

Still, there is a number of browsers that do not support SHA-256 or a higher hash function, thus, a total disabling of SHA-1 cipher suites may lead to drastic interoperability issues.

Unless you desperately require to forbid the server usage of SHA-1 cipher suites, there is an option to leave support for SHA-1 enabled, but configure the server preferences to use ciphers with a more secure hash function in the first place. See the next section of this article for the corresponding how-to.

  1. Open registry editor:

    Win + R > regedit

  2. Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Hashes

    Right-click on “Hashes” > New > Key

    Hardening_19.jpg

    Name the key “SHA”

  3. Right-click on “SHA” > New > DWORD (32-bit) Value

    Hardening_18.jpg

    Name the value “Enabled”

  4. Double-click the created “Enabled” value and make sure that there is zero (0) in the “Value Data:” field > click “OK”

    Hardening_20.jpg

  5. You may need to restart Windows Server to apply changes

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close