Expected Cipher Suites not showing in packet traces - Handshake Failure

I think your question is based on a misunderstanding of how the TLS handshake and specifically the cipher selection works and what you can see on the wire.

The cipher selection is done by the client sending a list of ciphers the client accepts and the server then selecting one cipher from this client offer. This means only the ciphers acceptable by the client are included in the TLS handshake. The list of ciphers acceptable by the server are not included in the handshake and that's why you cannot see it.

You can only get the ciphers supported by the server by using a client configuration which only offers this specific cipher. If the server accepted the cipher it will support it, if not it (most likely) will not support it. And that's exactly what the nmap command you've used does - just tries lots of different ciphers and checks if the handshake succeeds.


If you're talking about those ciphers for use in SSL/TLS, you need to configure it appropriately for Windows. If they're not showing up during negotiation, you probably haven't configured it correctly.

You need to configure the client and/or the server to support them:

  1. General SChannel Cipher info: https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
  2. Configuring them via policy: https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls

And if you are Linux friendly, here is a solid article on using nmap to output the SSL/TLS cipher negotiation to the conosle: https://medium.com/@rootsecdev/configuring-secure-cipher-suites-in-windows-server-2019-iis-7d1ff1ffe5ea

What's a common cause of this? ...misconfiguration. You are either not setting this up correctly in the first place or the setting is being overwritten by something (e.g. Group Policy, some security product), etc.