Hi @ll,

on April 8, 2014 Microsoft published an update for Windows 8.1 and
Windows Server 2012 R2 (see <http://support.microsoft.com/kb/2929781>)
which enables "perfect forward secrecy" per default by reordering of
the TLS cipher suites.


Unfortunately Microsoft has not published corresponding updates for
Windows 8/Server 2012, Windows 7/Server 2008 R2 and Windows Vista/
Server 2008, despite numerous requests from its customers, although
these version support "perfect forward secrecy". For example, see
<https://connect.microsoft.com/IE/feedback/details/796877/better-support-for-perfect-forward-secrecy>


Fortunately it's dead simple to enable "perfect forware secrecy" in
Windows Vista and later versions: just change the order of the TLS
cipher suites in the registry entry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]
"Functions"=multi:...

and reboot.


For Windows 7/Server 2008 R2/8/Server 2012 you can use the script
<http://home.arcor.de/skanthak/download/NT6_PFS.INF> to perform all
the necessary changes to enable PFS as well as TLS 1.2 and disable
some week algorithms/ciphers too.

You'll see the success when you visit <https://www.howsmyssl.com/>,
<https://www.ssllabs.com/ssltest/viewMyClient.html> or
<https://cc.dcsec.uni-hannover.de/> with Internet Explorer 8 and
later after the reboot.


have fun
Stefan Kanthak


JFTR: IPsec is able to use "perfect forward secrecy" for MANY years,
      see <http://support.microsoft.com/kb/252735>,
      <http://support.microsoft.com/kb/301284> and
      <http://support.microsoft.com/kb/816514> as well as
      <http://technet.microsoft.com/library/cc759504.aspx>