J
JasonKowalczyk
We are deploying TLS 1.3 as a required protocol as well as Disabling TLS 1.1. On the 1909 version of software.
We are doing this via Registry Keys:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisablebyDefault == 0x1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisablebyDefault == 0x1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisablebyDefault == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisablebyDefault == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled == 0x0
It follows that we need to control the DefaultSecureProtocols keys as well.
The docs lists the following values and how to calculate complex values by adding the Hex Values
## 0x00000008 Enable SSL 2.0 by default
## 0x00000020 Enable SSL 3.0 by default
## 0x00000080 Enable TLS 1.0 by default
## 0x00000200 Enable TLS 1.1 by default
## 0x00000800 Enable TLS 1.2 by default
Can we assume that TLS 1.3 follows the same pattern? e.g.
[COLOR=rgba(215, 57, 0, 1)]## 0x00002000[/COLOR] [COLOR=rgba(215, 57, 0, 1)]Enable TLS 1.3 by default[/COLOR]
We would set this on the following keys to only allow TLS 1.2 and TLS 1.3
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SecureProtocols == 0x2800
Thanks for any clarification you can give, I can not find this on the Docs site or developer pages, but I could be wrong.
Reference: SUPPORT SITE
Continue reading...
We are doing this via Registry Keys:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client DisablebyDefault == 0x1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server DisablebyDefault == 0x1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Enabled == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server Enabled == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client DisablebyDefault == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server DisablebyDefault == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client Enabled == 0x0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server Enabled == 0x0
It follows that we need to control the DefaultSecureProtocols keys as well.
The docs lists the following values and how to calculate complex values by adding the Hex Values
## 0x00000008 Enable SSL 2.0 by default
## 0x00000020 Enable SSL 3.0 by default
## 0x00000080 Enable TLS 1.0 by default
## 0x00000200 Enable TLS 1.1 by default
## 0x00000800 Enable TLS 1.2 by default
Can we assume that TLS 1.3 follows the same pattern? e.g.
[COLOR=rgba(215, 57, 0, 1)]## 0x00002000[/COLOR] [COLOR=rgba(215, 57, 0, 1)]Enable TLS 1.3 by default[/COLOR]
We would set this on the following keys to only allow TLS 1.2 and TLS 1.3
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp DefaultSecureProtocols == 0x2800
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SecureProtocols == 0x2800
Thanks for any clarification you can give, I can not find this on the Docs site or developer pages, but I could be wrong.
Reference: SUPPORT SITE
Continue reading...