Nowadays there is an SSL vulnerability called POODLE discovered by Google team in SSLv3 protocol. So uses of SSLv3 is not secure to use. Now it’s recommended using TLS 1.2. This article will help you enable TLS security in Windows Server 2008 R2 or later versions by editing registry.
Step 1 – Backup Registry Settings
We strongly recommend taking a backup of the registry before making any changes. Use below link to find steps to how to export registry values.
Step 2 – Enable TLS 1.2 on Windows
You have two options to enable TLS version on your system.
Option 1 – Merge Resistry File
Download the Enable-TLS12-Windows.reg and Enable-TLS12-TLS11-Windows.reg files on your Windows system. Now right click on file and click Merge.
Option 2 – Manually Update Registry
You can do this by directly editing registry file manually.
2.1 Open registry on your server by running ‘
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
2.2 Add the TLS 1.1 and TLS 1.2 keys under Protocols. It will looks like directories.
2.3 Now create two keys Client and Server under both TLS keys.
2.4 Now create the DWORD Values under Server and Client key as following
DisabledByDefault [Value = 0] Enabled [Value = 1]
Step 3 – Disable TLS and SSL Older Versions
3.1 Open registry on your server by running ‘regedit’ in run window and navigate to below location.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
3.2 Now change DWORD Values under Server and Client under TLS 1.0, SSL 3.0 and Older SSL version keys.
DisabledByDefault [Value = 0] Enabled [Value = 0]
After making all above setting reboot your server.
Here’s a PowerShell script I wrote that does it too.
$SSLTLS = “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols”
$Types = “Client” , “Server”
$SK2V = ( 0..7 | % { 0 } ) + ( 8..9 | % { 1 } )
$Protocols = @( 2..3 | % { “SSL $_.0” } ) + @( 0..2 | % { “TLS 1.$_” } )
$Protocols | % `
{
$Path = “$SSLTLS\$_”
If ( ( Test-Path $Path ) -ne $True ) { NI -Path “$SSLTLS” -Name “$_” }
$Types | % { If ( ( Test-Path “$Path\$_” ) -ne $True ) { NI -Path “$Path” -Name “$_” } }
}
$Path = @( $Protocols | % { “$SSLTLS\$_\Client” ; “$SSLTLS\$_\Server” } )
0..( $Path.Count – 1 ) | % `
{
If ( ( gci $Path ) -eq $Null )
{ SP -Path ( $Path[$_] ) -Name “DisabledByDefault” -Type “DWORD” -Value “0”
SP -Path ( $Path[$_] ) -Name “Enabled” -Type “DWORD” -Value ( $SK2V[$_] ) } }
Please dont provide a false information on something that you are not sure about !
It’s clearly say set a dward to 1 per MS docs
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)#BKMK_SchannelTR_TLS12
Also there is another URL that show to how disable all the protocols on
https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
I’m shocked of the number of people who are trying to figure out things by them self ! Anyway, i will sum all that text with the registry file below:
pastebin Link : https://pastebin.com/7RN6m15G
;Start Registry File
;———————-
Windows Registry Editor Version 5.00
;Microsoft Document https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)#BKMK_SchannelTR_TLS12
;This document will disable the follow:
; – PCT 1.0
; – SSL 2.0
; – SSL 3.0
; – TLS 1.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
;PCT 1.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
;SSL 2.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
;SSL 3.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
;TLS 1.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
;TLS 1.1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
;TLS 1.2
;Note: For Win7 / Win2008R2, you must have DisabledByDefault set to 0 in client Win7 and in Both Win2008R2
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001
;———————
;End Registry File
SSL Certificate Incorrect Configuration – INTG Server Accepts SYST client Certificate and returns 200 response
We have developed a Web API application and we are using Mutual TLS V1.2 for Authentication. We have two servers (X and Y) in INTG Environment and also we have a load balancer. Server X and Y are accessed via load balancer server.
I have hit one of the Web Api Get request URL by selecting the Client certificate in Chrome browser if the request goes to server Y and if I pass a valid INTG client certificate it’s working fine and If I pass invalid client certificate or other environment(SYST) certificate it throws 401 UnAuthorized. This is the correct behavior and it is working fine in Y.
But in the Server X if I pass invalid certificate it’s throwing 401 Unauthorized but if I pass SYST Client Certificate it’s working and I am getting the 200 response. It should not accept SYST client certificate in INTG Environment and it should throw 401 UnAuthorized but it is accepting it and I am getting 200 Response.
I verified both the server configurations everything appears same and I don’t see any difference.
I identified this issue by stopping the site alternatively in both the servers.
We are using “iisClientCertificateAuthenticationMapping” and in that we have set the “manyToOneCertificateMappingsEnabled” as False and “oneToOneCertificateMapingsEnabled” as True and for “oneToOneMappings” I have set the userName, password and certificate(base64string).
Can you guys please let me know what are the possible reasons for the X server’s incorrect behavior.
INTG SERVERS:
Server X
Server Y