1

The problem: IIS on Windows 2012 picks SHA-1 algorithm when the client uses SHA-1 certificate. Even though the server-side certificate is SHA-256. So Chrome/Edge don't work.

On analogous Windows 2016 setup: IIS uses a proper algorithm and everything works. This is because there was KB4516061 which fixed the issue: Addresses an issue that chooses a SHA-1 hash algorithm for the secure (HTTPS/TLS) connection to a Windows server.

(Yes, I know about SHA-1, but this is a corpo environment, and some users still have SHA-1 certificates on their smart cards...)

Question: how to make it work on Windows 2012? Maybe some registry setting? Some hotfix KB I am not aware of?

What I tried:

  1. "Best practices" in IIS Crypto.
  2. That, and in addition disable SSL3.0 and SHA-1 in all lists.
  3. HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003 - remove SHA-1 from Functions value, but that messes up the whole computer.
Mikhail Orlov
  • 249
  • 1
  • 3
  • 9

1 Answers1

1

A way to overcome this is to:

  1. Disable everything except TLS 1.0 in server protocols in IISCrypto. Don't touch client protocols.
  2. Since Edge doesn't allow TLS 1.0 and TLS 1.1 by default, apply the following which will stop working in version 91 in a few months.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge]
"SSLVersionMin"="tls1"

Another option would be to force the website in IE11 compatibility mode in Edge, IE11 is much less picky.

Mikhail Orlov
  • 249
  • 1
  • 3
  • 9