Can I enforce a cipher suite with powershell

Solution 1:

You kind of can.

When looking at this page, you can set your own Cipher with the highest priority to use:

PS C:\>Enable-TlsCipherSuite -Name "TLS_DHE_DSS_WITH_AES_256_CBC_SHA" -Position 0

Solution 2:

As far as I know you have no control over what cipher suite is used from PowerShell or dot.net, the underlying Windows APIs will negotiate the 'best' suite with the server.

I am using https://github.com/nabla-c0d3/sslyze/ which also has a binary exe version to test for cipher suites. When calling it from PowerShell, you have to do some parsing of the output. Or use the native Python implementation. Of look at the Python code to see what they are doing.