Update: This tool should make this job much easier: https://www.nartac.com/Products/IISCrypto/Default.aspx
But feel free to use the following information to do the job...
Here are the straightforward steps to enable TLS 1.1 and TLS 1.2 on a Windows Server 2008 R2 server:
- Please backup your registry.
- Start the registry editor (
regedit) - Browse to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
- Add the following keys:
TLS 1.1andTLS 1.2 - Within each of the
TLS 1.1andTLS 1.2keys (they look like folders), add these keys:ClientandServer - Within each of the
ClientandServerkeys, create the following DWORD values:
DisabledByDefaultwith a value of0Enabledwith a value of1
- Reboot the server.
I tested the new settings by configuring Internet Explorer 9 to only use TLS 1.2 and connected to a secure page on one of the websites on my server. Here is where you configure IE9 to do this:
Do your customers a favor (and thus yourself) by allowing them to use a more secure version of SSL/TLS on your website. Configure your IIS server to use TLS 1.1 and TLS 1.2. Hopefully all web browsers will support these versions in the very-near future - but at least Internet Explorer 9 already does.
Thanks! This is exactly what I needed.
ReplyDeleteI wonder why all active protocols (ie, SSL 3.0 and TLS 1.0) aren't listed as Reg keys? It makes it a bit confusing to keep track of what is on and what is off on a server. I ended up using https://www.ssllabs.com/ssldb/index.html to check my server.
I'm glad this helped you. And thank you for the link to ssl labs - very useful!
ReplyDelete[...] Should Disable SSL 2.0 Nov.15, 2011 in IIS, Web Site Administration, Windows In my previous post Enable TLS 1.1 and TLS 1.2 in IIS, I discussed how to enable TLS 1.1 and TLS 1.2. Now I want to take that a step further by disabling [...]
ReplyDeleteUse this tool it is a lot easier
ReplyDeletehttps://www.nartac.com/Products/IISCrypto/Default.aspx
worked like a charm and super easy, thanks!
Delete@Rovastar: Thanks for the link to the excellent IIS Crypto tool!
ReplyDeleteI could configure ssl in my server in cloud with the help of this post. Thank yo.
ReplyDeleteThanks for the article. I followed the steps to changing/adding the registry keys but when I use ssllabs.com to scan my site after the reboot it still says that the TLS 1.1 and TLS 1.2 are not enabled. Any ideas on why the change isn't being picked up?
ReplyDeleteTry using this tool instead and see if you have better luck: https://www.nartac.com/Products/IISCrypto/Default.aspx
DeleteJust a word of caution - if you switch off TLS 1.0 using the Nartac tool, you actually loose the possibility to connect using RDP.....
ReplyDeleteHi
ReplyDeleteI ran the fix tools from Microsoft MS12-006 (http://support.microsoft.com/kb/2643584). Fix it solution for TLS 1.1 on Internet Explorer (Microsoft Fix it 50773)and Fix it solution for TLS 1.1 on Windows-based servers (Microsoft Fix it 50774). I also utilized this tool from https://www.nartac.com/Products/IISCrypto/Default.aspx and removed tls 1.0 via PCI button. After I rebooted the server, it couldn't boot to the windows screen, it displayed microsoft corporation meter bar and it gave me the black screen. I tried to boot to last known configuration and restored the full registry; however, it gave me the error that it couldn't import it. I don't know what happens if I restart the server again. Any ideas? Please help. Thanks.
Peter
**************************************
I had this path on the windows server, but it still failed the BEAST scan.
Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(KB2585542) Information Disclosure Important No bulletin replaced by KB2585542