argerrit

Outdated cipher suites order for Windows Phone 8.1

Discussion created by argerrit on Jan 7, 2015
Latest reply on Jan 7, 2015 by hellotls

Just a FYI. This may be on purpose, but in case it is not: Your scanner uses an outdated cipher order for IE11 / Windows Phone 8.1.

Phone update policies are obviously different than PC's, but just as Windows 8.1 for PC/tablet received a overhaul in cipher suites in their Q1 2014 8.1.1 update, so did Windows Phone 8.1 close after that. Your scanner still uses the original cipher suite order. Starting roughly July 2014 all Windows Phone 8.1 builds are now updated to use a cipher suite similar (though not 100% the same it seems) to the one PC ships with since 8.1.1. This update also added support for new ciphers and combined these modifications changed/improved the selected cipher suite in many cases.


So all new phone builds plus all existing phones that were updated now use the new cipher suite, so it may be a good idea to use that one on your website?

 

The new order (using your own client scanner) is now:

 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x6a)

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x40)
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)

 

You can verify e.g. by taking any existing Windows Phone 8.1 phone and signing up (= free) for their Developer Preview, which will enable upgrades to the latest official supported builds. But of course if you buy/own a recent released model it already comes with the new build. I tested this with a few devices and all show the new order.

Outcomes