4

Yes, I rebooted the server. Several times.

This actually affects both TLS 1.1 and 1.2. The only one currently working is 1.0.

I followed the instructions here: http://support.microsoft.com/kb/245030

I've double checked all the names and values; I've had someone else double check all the names and values.

registry

Both Qualys and IE confirm that 1.1 and 1.2 are not functioning for multiple (presumably all) HTTPS-enabled sites on the server.

Any ideas on how to further investigate this would be awesome.

Edit: More screenshots.

registry2

windows-version

pantsburgh
  • 63
  • 1
  • 1
  • 7
  • Question - Do you have the FIPS policy enabled? `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy` – Ryan Ries Nov 22 '14 at 01:43
  • FIPS policy is disabled, but SSL v3 is also disabled separately. – pantsburgh Nov 22 '14 at 09:22
  • I added the same in both client and server, still it didnt work after reboot the system. Any help would be highly appreciated. –  Feb 04 '16 at 02:16

2 Answers2

7

To enable the system to use the protocols that will not be negotiated by default (such as TLS 1.1 and TLS 1.2), change the DWORD value data of the DisabledByDefault value to 0x0 in the following registry keys under the Protocols key:

SCHANNEL\Protocols\TLS 1.1\Client

SCHANNEL\Protocols\TLS 1.1\Server

SCHANNEL\Protocols\TLS 1.2\Client

SCHANNEL\Protocols\TLS 1.2\Server

Try adding that to both TLS 1.1 and 1.2 under the Server key like you have it in the Client keys.

Community
  • 1
bentek
  • 2,235
  • 1
  • 15
  • 23
0

Alternative solution is to use IIS Crypto.

Stanislav
  • 206
  • 2
  • 5