Disable TlsCipher

psp · September 13, 2022, 1:29pm

Hi Folk,

I have created script to disable the Cipher i.e.

Disable-TlsCipherSuite -Name $Temp[$i]

As i am passing value of name property using array’s objects. It throwing error :
Disable-TlsCipherSuite : Exception from HRESULT: 0xD0000225.

While if i am ruining same command by passing exact cipher name instead of using variable it’s working as expected.

I have already followed the article mentioned on “powershell - Disable-TlsCipherSuite : Exception from HRESULT: 0xD0000225 - Stack Overflow”

Could you please help to fix it.

Olaf · September 13, 2022, 1:37pm

Prabhat,
Welcome to the forum.

It may help if you post all of your code or at least the relevant part of the code you use.

In the answer on StackOverflow you linked it is clamed that the error indicates that the cipher is already disabled. Did you try the solution postet there?

psp · September 13, 2022, 1:44pm

Hi Olaf,

Thanks for responding. Below is the entire code.

$DESArray = Get-TlsCipherSuite|Format-Table -Property Name|findstr DES
$RC4Array = Get-TlsCipherSuite|Format-Table -Property Name|findstr RC4
$IDEAArray = Get-TlsCipherSuite|Format-Table -Property Name|findstr IDEA
$DisableCipher = $DESArray + $RC4Array + $IDEAArray
For ($i=0;$i -lt $DisableCipher.Length;$i++){
    Disable-TlsCipherSuite -Name $DisableCipher[$i]
}

yes, i did enable the cipher and tried the code again to disable same cipher i.e. passing cipher name as a variable but no luck and ended up with same error.

Olaf · September 13, 2022, 2:17pm

this works for me …

$SearchPatternList = 'DES', 'RC4', 'IDEA'
$ResultList =
foreach ($SearchPattern in $SearchPatternList) {
    $CipherSuite = Get-TlsCipherSuite -Name $SearchPattern
    if ($CipherSuite) {
        $CipherSuite |
        ForEach-Object {
            ((($_ | out-string) -split "\n" | 
                Select-String -Pattern 'name' -SimpleMatch | 
                Select-Object -ExpandProperty line ) -split ':')[1].trim()
        }
    }
}

foreach ($Result in $ResultList) {
    Disable-TlsCipherSuite -Name $Result
}

psp · September 13, 2022, 2:34pm

Just curios to know where did i went wrong

Olaf · September 13, 2022, 3:54pm

While I do not have any experience working with this kind of topic I have to admit that Get-TlsCipherSuite provides a weird output. So it is not that straight forward as usual.

Regardless of that you should never use format cmdlets like Format-Table and pipe their output to the next cmdlet. That has never worked AFAIK.

The way you determined the names and put them together results in a big string with concatenated names - not in an array of strings.
Run this:

$DESArray = Get-TlsCipherSuite|Format-Table -Property Name|findstr DES
$RC4Array = Get-TlsCipherSuite|Format-Table -Property Name|findstr RC4
$IDEAArray = Get-TlsCipherSuite|Format-Table -Property Name|findstr IDEA
$DisableCipher = $DESArray + $RC4Array + $IDEAArray

and ouput this:

$DisableCipher

How does it look?

The first thing you should do when you need to debug some code is to output the variables to the console and inspect them if they are what you’d expect them to be.

psp · September 14, 2022, 5:47am

noted!!

Thanks alot one again