• Home
  • Ubuntu 20.04
    • Upgrade Ubuntu
    • Install Java
    • Install Node.js
    • Install Docker
    • Install LAMP Stack
  • Tutorials
    • AWS
    • Shell Scripting
    • Docker
    • Git
    • MongoDB
  • Funny Tools
  • FeedBack
  • Submit Article
  • About Us
TecAdmin
Menu
  • Home
  • Ubuntu 20.04
    • Upgrade Ubuntu
    • Install Java
    • Install Node.js
    • Install Docker
    • Install LAMP Stack
  • Tutorials
    • AWS
    • Shell Scripting
    • Docker
    • Git
    • MongoDB
  • Funny Tools
  • FeedBack
  • Submit Article
  • About Us

How to Enable TLS 1.2 on Windows Server 2008 R2 and IIS 7.5

Written by Rahul, Updated on March 23, 2018

Nowadays there is an SSL vulnerability called POODLE discovered by Google team in SSLv3 protocol. So uses of SSLv3 is not secure to use. Now it’s recommended using TLS 1.2. This article will help you enable TLS security in Windows Server 2008 R2 or later versions by editing registry.

Step 1 – Backup Registry Settings

We strongly recommend taking a backup of the registry before making any changes. Use below link to find steps to how to export registry values.

Step 2 – Enable TLS 1.2 on Windows

You have two options to enable TLS version on your system.

Option 1 – Merge Resistry File

Download the Enable-TLS12-Windows.reg and Enable-TLS12-TLS11-Windows.reg files on your Windows system. Now right click on file and click Merge.

Option 2 – Manually Update Registry

You can do this by directly editing registry file manually.

2.1 Open registry on your server by running ‘regedit‘ in run window and navigate to below location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

2.2 Add the TLS 1.1 and TLS 1.2 keys under Protocols. It will looks like directories.

TLS-1

2.3 Now create two keys Client and Server under both TLS keys.

2.4 Now create the DWORD Values under Server and Client key as following

  DisabledByDefault [Value = 0]
  Enabled [Value = 1]

TLS-2

Step 3 – Disable TLS and SSL Older Versions

3.1 Open registry on your server by running ‘regedit’ in run window and navigate to below location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3.2 Now change DWORD Values under Server and Client under TLS 1.0, SSL 3.0 and Older SSL version keys.

  DisabledByDefault [Value = 0]
  Enabled  [Value = 0]

After making all above setting reboot your server.

Share it!
Share on Facebook
Share on Twitter
Share on LinkedIn
Share on Reddit
Share on Tumblr
Share on Whatsapp
Rahul
Rahul
Connect on Facebook Connect on Twitter

I, Rahul Kumar am the founder and chief editor of TecAdmin.net. I am a Red Hat Certified Engineer (RHCE) and working as an IT professional since 2009..

27 Comments

  1. Avatar RR Reply
    August 26, 2020 at 1:25 am

    TC: See the following to get A+ on Windows Server 2008 R2 SP1:
    1. https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12
    2. https://support.microsoft.com/kb/3080079 <– for RDP to work with TLS 1.0 disabled
    3. https://support.microsoft.com/kb/3140245 <– for WinHttp
    4. https://support.microsoft.com/kb/2992611 <– for TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    5. https://support.microsoft.com/kb/3175024 <– for Diffie-Hellman ServerMinKeyBitLength
    You need to install the patches per KB (items 2-5) for the registry changes (in item 1) to work.

  2. Avatar TC Reply
    July 28, 2020 at 2:14 pm

    Can’t get this working on Server 2008 R2.
    Have tried manually, scripted and using Nartac’s IISCrypto, but even after a reboot, my SSL Report fails with “Assessment failed: No secure protocols supported” and I can’t connect to any of the web pages on the server.

    Have repeatedly checked the registry keys so that SSL 2.0, SSL 3.0 and TLS 1.0 are disabled, TLS 1.1 and TLS 1.2 are enabled.

    I noticed when I used IISCrypto though, that the values for TLS1.1 and TLS1.2 wehere configured as hex 0xffffffff or decimal value 4294967295. It is not configured as 1 as per my registry values:

    *****************************************************************************************************
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    “Enabled”=dword:ffffffff
    “DisabledByDefault”=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    “Enabled”=dword:ffffffff
    “DisabledByDefault”=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    “Enabled”=dword:ffffffff
    “DisabledByDefault”=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    “Enabled”=dword:ffffffff
    “DisabledByDefault”=dword:00000000
    *****************************************************************************************************

    I’m guessing the value just needs to be a positive integer. But configuring the “Enabled” DWORD as decimal 1 didn’t make any difference anyway. Trying to figure out why it’s not working though. Any thoughts?

    • Avatar Art Cashin Reply
      August 7, 2020 at 6:04 pm

      Can you try the steps from 5-7 listed on this page
      https://support.solarwinds.com/SuccessCenter/s/article/Enable-TLS-1-2-on-Windows-Server-2008?language=en_US

  3. Avatar Oliveira Reply
    July 23, 2020 at 3:16 am

    Thank you very much, it worked just fine in my environment (Server 2008 R2 SPK1) IIS 6.1

  4. Avatar Caio Reply
    July 21, 2020 at 7:19 am

    Thank you!
    Microsoft’s official article and “easy fix” was missing some registry entries 🤦‍♂️

  5. Avatar Joel Reply
    June 30, 2020 at 1:05 am

    ¡Excelente! Funcionó al 100% a la primera.
    Gracias por compartir.

  6. Avatar David Reply
    March 18, 2020 at 7:05 am

    Worked like a champ. Thank YOU!

  7. Avatar Michael Cook Reply
    July 14, 2019 at 11:27 pm

    Here’s a PowerShell script I wrote that does it too.

    $SSLTLS = “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols”
    $Types = “Client” , “Server”
    $SK2V = ( 0..7 | % { 0 } ) + ( 8..9 | % { 1 } )

    $Protocols = @( 2..3 | % { “SSL $_.0” } ) + @( 0..2 | % { “TLS 1.$_” } )
    $Protocols | % `
    {
    $Path = “$SSLTLS\$_”
    If ( ( Test-Path $Path ) -ne $True ) { NI -Path “$SSLTLS” -Name “$_” }
    $Types | % { If ( ( Test-Path “$Path\$_” ) -ne $True ) { NI -Path “$Path” -Name “$_” } }
    }

    $Path = @( $Protocols | % { “$SSLTLS\$_\Client” ; “$SSLTLS\$_\Server” } )

    0..( $Path.Count – 1 ) | % `
    {
    If ( ( gci $Path ) -eq $Null )
    { SP -Path ( $Path[$_] ) -Name “DisabledByDefault” -Type “DWORD” -Value “0”
    SP -Path ( $Path[$_] ) -Name “Enabled” -Type “DWORD” -Value ( $SK2V[$_] ) } }

  8. Avatar Shadid Reply
    December 9, 2018 at 8:00 am

    Please dont provide a false information on something that you are not sure about !
    It’s clearly say set a dward to 1 per MS docs
    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)#BKMK_SchannelTR_TLS12

    Also there is another URL that show to how disable all the protocols on
    https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

    I’m shocked of the number of people who are trying to figure out things by them self ! Anyway, i will sum all that text with the registry file below:

    pastebin Link : https://pastebin.com/7RN6m15G

    ;Start Registry File
    ;———————-
    Windows Registry Editor Version 5.00

    ;Microsoft Document https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)#BKMK_SchannelTR_TLS12
    ;This document will disable the follow:
    ; – PCT 1.0
    ; – SSL 2.0
    ; – SSL 3.0
    ; – TLS 1.0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

    ;PCT 1.0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    ;SSL 2.0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    ;SSL 3.0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    ;TLS 1.0
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    ;TLS 1.1
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    “DisabledByDefault”=dword:00000000
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    “DisabledByDefault”=dword:00000000
    “Enabled”=dword:00000001

    ;TLS 1.2
    ;Note: For Win7 / Win2008R2, you must have DisabledByDefault set to 0 in client Win7 and in Both Win2008R2
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    “DisabledByDefault”=dword:00000000
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    “DisabledByDefault”=dword:00000000
    “Enabled”=dword:00000001

    ;———————
    ;End Registry File

  9. Avatar Vignesh Reply
    November 21, 2018 at 9:30 am

    SSL Certificate Incorrect Configuration – INTG Server Accepts SYST client Certificate and returns 200 response

    We have developed a Web API application and we are using Mutual TLS V1.2 for Authentication. We have two servers (X and Y) in INTG Environment and also we have a load balancer. Server X and Y are accessed via load balancer server.

    I have hit one of the Web Api Get request URL by selecting the Client certificate in Chrome browser if the request goes to server Y and if I pass a valid INTG client certificate it’s working fine and If I pass invalid client certificate or other environment(SYST) certificate it throws 401 UnAuthorized. This is the correct behavior and it is working fine in Y.

    But in the Server X if I pass invalid certificate it’s throwing 401 Unauthorized but if I pass SYST Client Certificate it’s working and I am getting the 200 response. It should not accept SYST client certificate in INTG Environment and it should throw 401 UnAuthorized but it is accepting it and I am getting 200 Response.

    I verified both the server configurations everything appears same and I don’t see any difference.

    I identified this issue by stopping the site alternatively in both the servers.

    We are using “iisClientCertificateAuthenticationMapping” and in that we have set the “manyToOneCertificateMappingsEnabled” as False and “oneToOneCertificateMapingsEnabled” as True and for “oneToOneMappings” I have set the userName, password and certificate(base64string).

    Can you guys please let me know what are the possible reasons for the X server’s incorrect behavior.

    INTG SERVERS:

    Server X
    Server Y

  10. Avatar JEFF Reply
    May 1, 2018 at 11:39 pm

    The notion that setting the Enable key to 0x00000001 is absolutely incorrect. To activate the TLS setting, the Enable key must be set to 0xffffffff. This is the only way I could get it to function correctly

    • Avatar Shadid Reply
      December 9, 2018 at 7:58 am

      Please dont provide a false information on something that you are not sure about !
      It’s clearly say set a dward to 1 per MS docs
      https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)#BKMK_SchannelTR_TLS12

      Also there is another URL that show to how disable all the protocols on
      https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat

      I’m shocked of the number of people who are trying to figure out things by them self ! Anyway, i will sum all that text with the registry file below:

      pastebin Link : https://pastebin.com/7RN6m15G

      ;Start Registry File
      ;———————-
      Windows Registry Editor Version 5.00

      ;Microsoft Document https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)#BKMK_SchannelTR_TLS12
      ;This document will disable the follow:
      ; – PCT 1.0
      ; – SSL 2.0
      ; – SSL 3.0
      ; – TLS 1.0

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

      ;PCT 1.0
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
      “DisabledByDefault”=dword:00000001
      “Enabled”=dword:00000000

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
      “DisabledByDefault”=dword:00000001
      “Enabled”=dword:00000000

      ;SSL 2.0
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
      “DisabledByDefault”=dword:00000001
      “Enabled”=dword:00000000

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
      “DisabledByDefault”=dword:00000001
      “Enabled”=dword:00000000

      ;SSL 3.0
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
      “DisabledByDefault”=dword:00000001
      “Enabled”=dword:00000000

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
      “DisabledByDefault”=dword:00000001
      “Enabled”=dword:00000000

      ;TLS 1.0
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
      “DisabledByDefault”=dword:00000001
      “Enabled”=dword:00000000

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
      “DisabledByDefault”=dword:00000001
      “Enabled”=dword:00000000

      ;TLS 1.1
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
      “DisabledByDefault”=dword:00000000
      “Enabled”=dword:00000001

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
      “DisabledByDefault”=dword:00000000
      “Enabled”=dword:00000001

      ;TLS 1.2
      ;Note: For Win7 / Win2008R2, you must have DisabledByDefault set to 0 in client Win7 and in Both Win2008R2
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
      “DisabledByDefault”=dword:00000000
      “Enabled”=dword:00000001

      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
      “DisabledByDefault”=dword:00000000
      “Enabled”=dword:00000001

      ;———————
      ;End Registry File

  11. Avatar prat Reply
    March 19, 2018 at 11:34 pm

    I have did exactly same on windows 2008R2 SP1 but to my surprise when i run wireshark logs i can see the communication still happens on tls 1.0. Why is it so ?

  12. Avatar Ed Reply
    June 10, 2016 at 3:47 pm

    I am running Server 21012R2, and made all the suggested changes. Still, I get the handshake error when using Chrome. Is there anything else that must be done, downloaded, upgraded, whatever, to make Chrome work again?

    • Avatar Ed Reply
      June 28, 2016 at 12:12 pm

      If, like me, after making the suggested registry edits, you continue to receive the handshake fallback error, this might help:
      https://support.microsoft.com/en-us/kb/2992611

      This is an update that came out in 2014, but had not been installed on my server. It is a fix to a vulnerability in SChannel. After installation, Chrome displays my site properly.

  13. Avatar MpDay Reply
    December 10, 2015 at 11:27 pm

    Ugo Meex, you have made my day! This is the official Golden TIP of the month! Took me 4 days to investigate why Windows 10 1511 (fall update) clients couldn’t connect to our RADIUS Wi-Fi network anymore. With your tool, it took me 3 mouse clicks and 1 reboot…. everything solved.

  14. Avatar curly Reply
    May 13, 2015 at 4:28 pm

    It should be made very clear that this works for Server 2008 R2 and later, but *will not* work for “Server 2008” (which also means, it will not work for SBS 2008 either). Unfortunately, the article title is misleading; TLS 1.1/1.2 are not supported prior to Server 2008R2 and SBS 2011 on the server side.

  15. Avatar Ugo Meex Reply
    April 30, 2015 at 2:49 am

    While this article is certainly very useful, in a windows environment it would be far easier to use the IISCrypto tool by Nartac Software. It’s small, it’s free, it’s easy to use.

    Rather than having to read and edit the registry, this utility gives you a GUI to make these changes.
    It also offers 1 click config for: Best practices, PCI and FIPS 140-2
    https://www.nartac.com/Products/IISCrypto/

    Same result, but faster and certainly easier. 🙂

  16. Avatar Mike Varga Reply
    March 4, 2015 at 8:23 pm

    These instructions have been tested as incomplete… They do not disable the protocols properly… We’ve used the following script to resolve the issue successfully…

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols]

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
    “Enabled”=dword:00000000

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0]

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Client]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server]
    “Enabled”=dword:00000000

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1]

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]
    “Enabled”=dword:00000001
    “DisabledByDefault”=dword:00000000

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]
    “DisabledByDefault”=dword:00000000
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2]

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]
    “DisabledByDefault”=dword:00000000
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]
    “DisabledByDefault”=dword:00000000
    “Enabled”=dword:00000001

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0]

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client]
    “Enabled”=dword:00000000
    “DisabledByDefault”=dword:00000001

    [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server]
    “DisabledByDefault”=dword:00000001
    “Enabled”=dword:00000000

    • Avatar Payton Reply
      April 6, 2016 at 5:42 pm

      Your script does the exact same thing as the manual instructions listed in this article, how is it incomplete?

      • Avatar Kris Reply
        June 27, 2016 at 9:54 am

        for ssl 2.0 you have DisabledByDefault [Value = 0] but the script does “DisabledByDefault”=dword:00000001

        • Avatar Vikas Reply
          June 29, 2016 at 5:54 pm

          I ran this script and it did nothing. I have Server 2008 R2. FYI, I do not have TSL 1.0 and 2.0 but if I am not wrong this script should create entries for these.
          Thanks

  17. Avatar Ken Nelson Reply
    January 15, 2015 at 9:24 pm

    This will not work on Windows Server 2008 SP2 but does work on Windows Server 2008 R2.
    TLS 1.1 and TLS 1.2 does not seem to come with Windows Server 2008 SP2, a bit of an issue for me.

  18. Avatar Greg Reply
    December 22, 2014 at 8:48 pm

    Hi Rahul, thanks for this. Shouldn’t your Step 3.2 be: DisabledByDefault [Value = 1] rather than [Value = 0] to disable by default?

    • Avatar Ryan Reply
      December 26, 2014 at 3:02 pm

      Greg,

      No. By setting the value of DisabledByDefault to 1, you are making the value true, thus disabling the protocol “by default”.

      • Avatar Payton Reply
        April 6, 2016 at 5:46 pm

        Isn’t disabling the SSL protocols by default exactly what is wanted?

  19. Avatar Moe Reply
    December 13, 2014 at 3:53 pm

    Will this instruction to add TLS 1.1 and TLS 1.2 work on Windows 2008 Standard version?

Leave a Reply Cancel reply

Popular Posts

  • How To Install Python 3.9 on Debian 10
  • Download Ubuntu 20.04 LTS – DVD ISO Images
  • Linux Run Commands As Another User
  • How to Check PHP Version (Apache/Nginx/CLI)
  • How To Install and Configure GitLab on Ubuntu 20.04
  • How to Install PyCharm on Ubuntu 20.04
  • How to Check Ubuntu Version with Command or Script
  • How to Set all directories to 755 And all files to 644
© 2013-2021 Tecadmin.net. All Rights Reserved | Terms  | Privacy Policy