Is there any way to force RDP to use TLS version 1.2 since I would ideally like to switch to the Suite B TLS ciphers e.g. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. I have always felt rather lukewarm about AES-CBC mode in TLS since the padding oracle attacks were demontrated a few years ago (2003ish). OK there are (probably?) effective countermeasures in all current software stacks (I really hope that includes schannel) but we all know well meaning people can go back and "clean up" old code. Anyone for a Debian random number? ;) More seriously, it would be good to be able to configure this for those situations where a specified secuirty level is a requirement of a contract and while the NSA doesn't have much say in things this side of the water their standards can be a good reference point.
I have already added the following to the registry on both server and client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
However, the client flatly refuses to connect with a TLS1.2 dialect - always only TLS1.0. Has anyone found a way of doing this? If not, are Microsoft planning to update the client any any point?