windows - listing supported tls cipher suites on a window server

You can run the following command on a windows machine to checkout what are the ciphertext supported

Get-TlsCipherSuite | format-wide

If you would like to check the ciphertext on the registry, 

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" | Select-Object -ExpandProperty Functions

This by itself is not much use - nobody is going to look at the cipher suit without any reason. This comes out as part of a debugging session when we try to connect to another website. 

Easiest way to use SSLLab and entering the domain that you like to connect to 

https://www.ssllabs.com/ssltest/index.html

Sometimes the server might not be hosted on the public web, which is why we need:

Nmap

nmap --script ssl-enum-ciphers -p 443 www.example.com

Openssl - can be quite tedious

openssl s_client -connect example.com:443 -cipher ECDHE-RSA-AES256-GCM-SHA384

Additional info of changing order of TLS cipher

To change the order of TLS. Not to add / install a new ciphertext into your current system. 

Its main purpose is to ensure that you would like to put forward certain ciphertext (that has been approved by your organization) and use it as a default handshake protocol with the TLS enabled server.

You can use the following script. 

# Add a specific cipher suite at the highest priority 

$cipher = 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' 

$order = Get-TlsCipherSuite | Select-Object -ExpandProperty Name 

$newOrder = $cipher + ',' + ($order -join ',') 

Set-TlsCipherSuiteOrder -Order $newOrder

You can check out the list of tls support ciphertext for different windows versions.

https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel