NT6_PFS.INF(for Microsoft® Windows® 7, Windows Server 2008 R2, Windows 8 and Windows Server 2012) and
NT60_PFS.INF(for Windows Vista® and Windows Server 2008) configure Windows’ SSL/TLS package SChannel to use Cipher Suites which provide
The setup scripts also disable deprecated, insecure or weak
cryptographic algorithms, ciphers, hashes and protocols, as
recommended in the Security Advisories
Additionally the setup scripts disable the deprecated, insecure or weak protocols SSL v2.0, SSL v3.0 and TLS v1.0, and enable the protocols TLS v1.1 and TLS v1.2 in Internet Explorer.
The vulnerabilities are known as BEAST and POODLE; the CVE® lists them as CVE-2011-3389, CVE-2014-3566 and CVE-2014-8730.
Also see the IETF’s RFCs 5469, 6151, 6176, 7457, 7465, 7507, 7525, 7568 and 8996, plus the post Is SSL broken? – More about Security Bulletin MS12-006 (previously known as Security Advisory 2588513) on Microsoft’s Security Research and Defense Blog.
TLS_RSA_WITH_AES_128_GCM_SHA256, the security update 2992611 alias MS14-066, its successor 3046049 alias MS15-031, or 3042058 has to be installed.
To enable the
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, the update
which is part of the optional update
has to be installed.
has to be installed.
For Windows 8 and Windows Server 2012 this update is included in the update 2975331; for Windows 8.1 and Windows Server 2012 R2 it is included in the update 2975719.
Note: Windows Vista and
Windows Server 2008 don’t support
To enable TLS v1.2 on Windows Vista and Windows Server 2008, the update 4019276 has to be installed.
Caveat: Windows’ CBS may overwrite this Registry entry every time an update for the SChannel package is installed!
REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002] "Functions"=multi:…
Despite numerous requests from its customers, for example
Better support for Perfect forward secrecy,
Microsoft has but not published
corresponding updates for Windows 8,
Windows Server 2012, Windows 7,
Windows Server 2008 R2,
Windows Vista and
Windows Server 2008, although these versions of
Windows NT support
Perfect Forward Secrecy too.
Perfect Forward Secrecy since many years;
as well as the
Key exchange methods.
NT60_PFS.INFare packaged in the (compressed and digitally signed) cabinet file
SCHANNEL.CABand verify its digital signature, then open it in Windows Explorer, extract its contents, right-click the extracted setup script
NT60_PFS.INFrespectively to display its context menu and click
Installto run the installation.
the application registered for the
Install verb of
*.inf files, requests administrative privileges.
Open the Control Panel and click the entry
View installed updates underneath the
Programs and Features or Programs
In Installed Updates select the entry
'Perfect Forward Secrecy' für 'Windows Vista/2008' or
'Perfect Forward Secrecy' für 'Windows 7/2008 R2/8.x/2012 [R2]'
Uninstall menu entry.
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided byTelekom Deutschland GmbH
The web service provider stores a
session cookie in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):