TLS or Transport Layer Security Protocol

The TLS protocol is the successor to the SSL protocol. It’s used to secure communications channels via public/private key encryptions.

For Linux its easy get the latest OpenSSL.org distro and update all sub-systems.

For Microsoft they have patches for each different software application they make plus Windows.  For Windows and its subsystems (like the .NET Framework). The patches are provided via Windows Update. Server Applications, like SQL or SharePoint, get patches from update downloads.

For Windows 7 SP1, Windows 2008 R2 SP1 and Windows 2012 you need KB3140245 to support TLS v1.2. When in doubt update your system with the latest patch.

No seriously update your software! Patches happen all the time.

Windows Security Providers

Each supported security provider has its own registry hive. There will be two sub-hives listed (Server and Client) . Each of those sub-hives will have one or two DWORD entries.

The main registry hive for TLS v1.2 and its two sub-hives are:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server

Enable or Disable security providers

1. Add the DWORD “Enabled” to both locations if its missing
2. Set its value
   1. To “1” to enable
   2. To “0” to disable
3. Restart the system

TLS v1.2 Known Issues

.NET Information

.NET Framework v4.6.2 supports both TLS v1.1 and v1.2. No changes needed

.NET Framework  v4.6.1 and earlier versions need help making it work.  To make it work you need to enable support for strong cryptography.

1. Update each older Framework version to the latest patch
2. On both 32bit and 64bit systems, you will need to edit the registry for each .NET Framework version installed on the system.
   
   On 32bit and 64 systems Open the registry and navigate to…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\

3. Under each version listed use the SchUseStrongCrypto subkey to enable it

SchUseStrongCrypto = (DWORD): 0x00000001

4. On 64bit systems you also need to update the Wow6432Node. You will need to change the setting for each version listed. Navigate to…

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\

5. Under each version listed use the SchUseStrongCrypto subkey to enable it

SchUseStrongCrypto = (DWORD): 0x00000001

6. Restart your system

WinHTTP

Prior to Windows 10 TLS v1.2 was not supported. You will need a patch update and then change the registry.

1. Get the latest updates from Windows Update. The first update was KB3140245.
2. Open the registry, navigate to the hive listed below and change the DefaultSecureProtocol subkey.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\

DefaultSecureProtocols = (DWORD): 0xAA0

3. On 64bit systems navigate and change the Wow64 Node subkey too

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

DefaultSecureProtocols = (DWORD): 0xAA0

4. Restart your system

DefaultSecureProtocols registry entry is an additive Hexadecimal value see the following chart for individual settings

Hex Value	Protocol enabled
0x00000008	Enable SSL 2.0 by default
0x00000020	Enable SSL 3.0 by default
0x00000080	Enable TLS 1.0 by default
0x00000200	Enable TLS 1.1 by default
0x00000800	Enable TLS 1.2 by default

It’s common practice to disable out-date protocols. Using a Hex calculator add the values you want. The hex value 0xAA0 enables all protocols except SSLv2, while the hex value of 0xA80 only enables the newer TLS standard.

Known Issues

SHA-384 or SHA-512 and TLS v1.2

As of 2018 SHA-256 is universally accepted for certs.

SHA-384 was not supported by many crypto software providers. Your mileage may vary using it.

SHA-512 support was not included by default from Microsoft and other crypto software providers. Microsoft has a patch to enable it but you need to download it and install it for each of your systems.

For Microsoft and SHA-512 you can fix this one of two ways.

• Download the patch from Microsoft, original KB2973337.
• Re-issue your certificates using SHA-256

References

• https://docs.microsoft.com/en-us/windows/desktop/SecAuthN/cipher-suites-in-schannel
• https://support.microsoft.com/en-us/help/4040243/how-to-enable-tls-1-2-for-configuration-manager
• https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
• https://support.microsoft.com/en-au/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392
• https://en.wikipedia.org/wiki/Transport_Layer_Security

Did you get a clue?

If you got a clue and want to thank me, then visit the thank me page. It’s the best way to keep me publishing articles and keeping this site operation.

This site uses affiliate links. When you go to another site from here the link typically will have an affiliate code attached to it. Your actions on that site may earn a small commission for me. Read our affiliate link policy for more details.

{fin}