configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1 [2021/09/30 14:12] – [Configuration Information for TLS 1.2.] wikiadmin | configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1 [2021/09/30 15:28] (current) – [Configure the Registry to Turn on TLS 1.2] wikiadmin | ||
---|---|---|---|
Line 9: | Line 9: | ||
===== Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows ===== | ===== Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows ===== | ||
- | This update provides support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1. | + | The Windows |
- | To obtain the stand-alone package for this update, go to the Microsoft Update Catalog website here: https:// | + | To obtain the stand-alone package for this update |
- | Prerequisites | + | __Prerequisites |
To understand why this update is or may be necessary, please review this Microsoft Support article: | To understand why this update is or may be necessary, please review this Microsoft Support article: | ||
Line 23: | Line 23: | ||
https:// | https:// | ||
+ | Before attempting to edit your Windows registry, **MAKE A BACKUP FILE OF YOUR REGISTRY**. | ||
+ | In order to open the Windows Registry in Windows Server 2008 R2 SP1, First click the Windows " | ||
+ | At the top of the Window' | ||
+ | |||
+ | ===== Configure the Registry to Turn on TLS 1.2 ===== | ||
+ | |||
+ | In the registry, browse to **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols** | ||
+ | |||
+ | Under the **Protocols** key, create a new Key that you will name as **TLS 1.2**. | ||
+ | |||
+ | In the same manner, create two new subkeys under the key that is named **TLS 1.2** and name these two new subkeys as **Client** and **Server** respectively. | ||
+ | |||
+ | In the Registry, browse to: **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client** and Create a new DWORD value named: **DisabledByDefault** and Set the value to: 0 (hexadecimal) | ||
+ | |||
+ | How? Right click on the **Client** subkey, and left click on new - DWord 32bit and name the Dword as **DisabledByDefault** and right click the new Dword that is named **DisabledByDefault** and select ' | ||
+ | |||
+ | Also, under the **Client** subkey, create a new DWORD value named: **Enabled** and set the value to | ||
+ | **1** (hexadecimal). | ||
+ | |||
+ | Now, in the Registry, browse to the new subkey named **Server** located at: **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server** | ||
+ | |||
+ | In the same manner under the **Server** subkey, create a new DWORD (32-bit) value named: **DisabledByDefault** and set its value in hexadecimal to: **0** | ||
+ | |||
+ | In the same manner under the **Server** subkey, create a new DWORD (32-bit) value named: **Enabled** and set its value to **1** | ||
+ | |||
+ | ===== Enable TLS 1.2 by default for WinHTTP ===== | ||
+ | |||
+ | Add the **DefaultSecureProtocols** DWORD value to the: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp** registry key and | ||
+ | |||
+ | Add the **DefaultSecureProtocols** DWORD value to the: **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp** registry key. | ||
+ | |||
+ | How? From the Windows search bar, use regedit to open the Window Registry Editor. | ||
+ | Browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp**. | ||
+ | Create a new DWORD value named: | ||
+ | **DefaultSecureProtocols** | ||
+ | |||
+ | and set the value of this new Dword (in hexadecimal) to: | ||
+ | **800** | ||
+ | |||
+ | On a 64-bit version of Windows, ALSO browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp** and repeat the previous step by | ||
+ | |||
+ | Creating a new DWORD value named: | ||
+ | **DefaultSecureProtocols** | ||
+ | |||
+ | And set the value of this new Dword (in hexadecimal) to: | ||
+ | **800**. | ||
+ | |||
+ | ===== Block RC4 in .NET TLS ===== | ||
+ | |||
+ | If you have .NET Framework 4.x installed on the server, you should: | ||
+ | |||
+ | Add a **SchUseStrongCrypto** DWORD value to the **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319** registry key and also add it to the **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319** registry key. | ||
+ | |||
+ | From the Windows search bar, use regedit to open the Window Registry Editor. | ||
+ | Browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319**. | ||
+ | Create a new DWORD value named: | ||
+ | **SchUseStrongCrypto** | ||
+ | |||
+ | Set the value to: | ||
+ | **1** | ||
+ | |||
+ | On a 64-bit version of Windows, browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319** and repeat this same procedure by-- | ||
+ | |||
+ | Creating a new DWORD value named: | ||
+ | **SchUseStrongCrypto** | ||
+ | |||
+ | and setting the value to: | ||
+ | **1** | ||
+ | |||
+ | ==== Note: Restart the computer after modifying the registry ==== | ||
configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1.1633011148.txt.gz · Last modified: 2021/09/30 14:12 by wikiadmin