Can't disable TLS 1.0

Question

I'm working on Windows Server 2016 Standard and trying to disable TLS 1.0 and enable 1.1 and 1.2 with the IIS Crypto. However, whenever I disable 1.0 and keep 1.1 and 1.2 enabled, my IIS apps stop serving. I've rebooted the server after the changes.

I saw this post but it's not quite what I'm trying to do. There's also this fix but it doesn't apply to Server 2016.

My Global.asax.cs contains the following in the Application_Start():

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
ServicePointManager.SecurityProtocol &=
  ~(SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11);

What am I missing?

score 1 · Accepted Answer · answered Feb 28 '18 at 13:56

Found the answer by using the OpenSSL tool. You run the tool with the following command to test if the server supports various versions of TLS (with help from here):

openssl s_client -connect example.com:443 -tls1_1

CONNECTED(00000150)
40400:error:1417118C:SSL routines:tls_process_server_hello:version too low:ssl\statem\statem_clnt.c:917:
---
no peer certificate available
---
No client certificate CA names sent
---

The server didn't have a good cert so it could only support TLS 1.0.

Can't disable TLS 1.0

1 Answers1