You may recall I previously ranted on twitter (https://twitter.com/joewaredotnet/status/1432548671527264258?s=20&t=LMw3UZ9dddXhxVPs8dKa7A) that MSFT added TLS 1.3 for HTTPS for Windows Server 2022 but neglected to add it for AD.
Well someone listened.
You are welcome.
[Sat 07/09/2022 20:54:17.43]
C:\temp>adfind -h k22-ese.k22-ese-dom.test.loc -sslinfo
AdFind V01.59.00cppBETA Joe Richards (support@joeware.net) June 2022
dn:CN=Certificate Info,CN=k22-ese.k22-ese-dom.test.loc
> ciEncodingType: X509_ASN_ENCODING (0x01)
> ciVersion: CERT_V3 (0x02)
>ciNotBefore: 2022/04/16-20:37:48 Eastern Daylight Time
> ciNotAfter: 2023/04/16-20:57:48 Eastern Daylight Time
> ciSignatureAlgorithm: 1.2.840.113549.1.1.11
> ciIssuer: CN=K22-ESE.k22-ese-dom.test.loc
> ciSubject: CN=K22-ESE.k22-ese-dom.test.loc
> ciAltNameDNSName: K22-ESE.k22-ese-dom.test.loc
dn:CN=SSL Connection Information,CN=k22-ese.k22-ese-dom.test.loc
> ciProtocol: Transport Layer Security 1.3 client-side (SP_PROT_TLS1_3_CLIENT)
>ciCipherAlgorithm: AES 256-bit encryption algorithm (CALG_AES_256)
> ciCipherStrength: 256 bits
> ciHashAlgorithm: 384 bit SHA hashing algorithm (CALG_SHA_384)
> ciHashStrength: 0 bits
>ciKeyExchAlgorithm: Unknown(0x00)
> ciKeyExchStrength: 0 bits
The command completed successfully
[Sat 07/09/2022 20:55:16.00]
E:\>openssl s_client -connect k22-ese.k22-ese-dom.test.loc:636 < nul | grep -i tls
depth=0 CN = K22-ESE.k22-ese-dom.test.loc
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = K22-ESE.k22-ese-dom.test.loc
verify return:1
File STDIN:
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
DONE
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
TLS session ticket lifetime hint: 36000 (seconds)
TLS session ticket:
Love to see it. Thanks Joe!
Thank you for noticing and publishing this!