How to enable TLS 1.1, 1.2 in IIS 7.5

Question

We want to support web browsers utilizing TLS 1.1 and 1.2, which has been apparently implemented by Microsoft, but is turned off by default.

So I went searching on Google and discovered some pages everyone seems to be following:

http://support.microsoft.com/kb/245030

https://www.derekseaman.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html

However! It doesn't appear to be working for me. I have set both DWORD vaules for DisabledByDefault and Enabled for TLS 1.1 and 1.2. I can confirm my client is attempting to communicate with TLS 1.2, but the server only responds with 1.0. I've restarted IIS, but it didn't change the situation.

Microsoft points out: "WARNING: The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure that contains the data for an Schannel credential."

Well, that's very vague to me. I can't find anywhere where SCHANNEL_CRED is defined or set, all I can determine that it's a structure defined in a Microsoft library. That's my only guess for why this isn't work, yet I can't find enough information on it to determine if it is the true problem.

I hate to ask the obvious, but did you reboot the server after changing the registry? — Coding Gorilla, Sep 23 '11 at 15:36
As @ShaneMadden indicated, these changes are deeper than IIS, so you need to restart the system to make sure all the changes are applied. — Coding Gorilla, Sep 23 '11 at 15:39

score 50 · Accepted Answer · answered Sep 23 '11 at 15:35

50

Reboot. Changes to Schannel settings do not take effect until the system is rebooted.

answered Sep 23 '11 at 15:35

Shane Madden

114,520
13
181
251

score 13 · Answer 2 · edited Aug 26 '20 at 16:03

The easiest way to make changes in Microsoft SChannel protocols and ciphers (including cipher ordering) is to use IIS Crypto which is a completely free tool that can be downloaded without any kind of annoying registration requirements.

The tool manipulates the registry keys under the covers however it does so in a controlled, proven and safe way. We use it regularly.

It is also worth noting that it can help in automation scenarios as it has a command line version in addition to a GUI version.

There is also a blog that discusses some of the changes and why they have been made. The tool tends to be kept up to date when SSL issues arise.

score 0 · Answer 3 · answered Apr 26 '16 at 13:05

0

Enabling TLS 1.1 and 1.2 requires a reboot. Disabling RC4 and DH is directly without restarting the server or services.

If i remember correctly, disabling SSLv2 and SSLv3 was also instantly effective.

answered Apr 26 '16 at 13:05

user3193469

29
5

score -1 · Answer 4 · answered Nov 03 '15 at 10:19

-1

https://technet.microsoft.com/en-us/library/dn786418.aspx

To enable the protocol, change the DWORD value to 0xffffffff.

answered Nov 03 '15 at 10:19

VasekB

1

to enable protocol is 0xffffffff or 1 ? – Ravindran Keshavan Aug 26 '16 at 20:54
That link on this answer says the value must be 1, it doesn't mention fff... anywhere – Kind Contributor Jan 24 '17 at 04:51

How to enable TLS 1.1, 1.2 in IIS 7.5

4 Answers4

Linked