Pages

Wednesday, October 5, 2011

Enable TLS 1.1 and TLS 1.2 on Windows Server 2008 R2 and IIS 7.5

You are probably aware that SSL has been hacked - that is versions of SSL before 3.2 and TLS 1.1 are vulnerable. Thankfully Windows Server 2008 R2 comes with the capability to support TLS 1.1 and TLS 1.2; however, they are not enabled by default. I found some decent information on how to enable TLS 1.1 and TLS 1.2, but no straightforward instructions on how to do so. The bottom line is you have to edit the registry then reboot the server.

Update: This tool should make this job much easier: https://www.nartac.com/Products/IISCrypto/Default.aspx

But feel free to use the following information to do the job...

Here are the straightforward steps to enable TLS 1.1 and TLS 1.2 on a Windows Server 2008 R2 server:
  1. Please backup your registry.
  2. Start the registry editor (regedit)
  3. Browse to the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  4. Add the following keys:
    TLS 1.1 and TLS 1.2
  5. Within each of the TLS 1.1 and TLS 1.2 keys (they look like folders), add these keys: Client and Server
  6. Within each of the Client and Server keys, create the following DWORD values:
    • DisabledByDefault with a value of 0
    • Enabled with a value of 1
  7. Reboot the server.
You should now have registry settings that look like:


I tested the new settings by configuring Internet Explorer 9 to only use TLS 1.2 and connected to a secure page on one of the websites on my server. Here is where you configure IE9 to do this:


Do your customers a favor (and thus yourself) by allowing them to use a more secure version of SSL/TLS on your website. Configure your IIS server to use TLS 1.1 and TLS 1.2. Hopefully all web browsers will support these versions in the very-near future - but at least Internet Explorer 9 already does.