1

first for those of you, who might think, this question has been asked so many time before so it is a useless duplicate...

  1. I cannot (yet) comment on other questions, so my only option on this is to ask new question.
  2. I've searched and read the following articles on different portals online, but still have no solution for my particular problem:

The official article from Microsoft here, also the TechNet articles article #1 and article #2. Then I went for more information on MSFN and Stackexchange. I've also read this SF post, where I originally wanted to post a comment. Unfortunately all was to no avail...

So what is the problem? It is that famous problem for enabling TLS 1.1/1.2 on MS Windows Server 2008 SP2, which in my case turns out to be a nightmare. I've a VM with MS Windows 2008 SP2 running inside, the OS is patched and up-to-date. I've tried to install these Microsoft Standalone Updates KB4019276 and KB4056564, as recommended by the posters in the MSFN article, but I'm unable to install them (both x86 and x64, also tried all patch dates, not only the newest one). I get this response from the OS: The update does not apply to your system. I've then thought, these patches must be already installed at some earlier time point and indeed - the KB4056564 has been installed. So I went to manually modify the registry according to above mentioned article from SF. I've modified the registry, restarted the VM and wanted to configure the MSIE 9 in order to allow the TLS 1.1/1.2 security protocols - to my bitter surprise these were not available.

I need this VM up and running with TLS 1.1/1.2 support asap, and have already spend many days of research and trials to solve the issue, but I'm still looking for the solution... I'd be very, very thankful, if you fellows can help me be it with pointing me to the right direction or providing with the solution for this yet nightmare-like issue...!

Edit #1: Currently I'm not allowed to use the IISCrypto application, nor any other third-party one, which access and modifies the machine's registry or overall system configurations...

Edit #2: Here are the registry items, which I created manually. I've also tried with Enabled values of 0xFFFFFFFF, did a machine restart, but still there was no effect of this change, so I've turned the values back to 0x1.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 
    DisabledByDefault REG_DWORD 0x0 
    Enabled REG_DWORD 0x1 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server 
    DisabledByDefault REG_DWORD 0x0 
    Enabled REG_DWORD 0x1 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client 
    DisabledByDefault REG_DWORD 0x0 
    Enabled REG_DWORD 0x1 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 
    DisabledByDefault REG_DWORD 0x0 
    Enabled REG_DWORD 0x1

Edit #3: After a detailed review of what updates/patches have been installed/applied on the machine for the last two years, I've found that the KB4019276 has been applied on 2017-11-27 and KB4056564 has been applied on 2018-06-03. For KB4339093 I'm not sure - I'll search for this update, but I'd assume it is applied if the patch is older than a month as the machine is kept up-to-date at least once in a month.

Edit#4: The version of MS Internet Explorer running on the machine is 9.0.8112.16421, Update Versions 9.0.95 (KB4339093). @bcs78, the IE Update which you mentioned in your comment has been applied on 2018-07-30.

Edit #5: I'm unable to export the requested part of the system registry (the command reg query "HKLM\SOFTWARE\Microsoft\InternetExplorer\AdvancedOptions\CRYPTO\" /s), because I'm getting the error ERROR: The system was unable to find the specified registry key or value.. It seems all registry entries under the HKLM\SOFTWARE\Microsoft\InternetExplorer are somehow "locked"... But this very same "locked" effect does also exist on another machine (with Win2k12R2), where the TLS 1.1/1.2 communication functions properly.

I was able to export the related CRYPTO-keys directly from the Registry Editor:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"UncheckedValue"=dword:00000000
"CheckedValue"=dword:00000200
"PlugUIText"="@C:\\Windows\\System32\\inetcpl.cpl,-6800"
"Mask"=dword:00000200
"RegPoliciesPath"="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
"RegPath"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
"HKeyRoot"=dword:80000001
"HelpID"="iexplore.hlp#50511"
"DefaultValue"=dword:00000200
"ValueName"="SecureProtocols"
"Text"="TLS 1.1"
"Type"="checkbox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"UncheckedValue"=dword:00000000
"CheckedValue"=dword:00000800
"PlugUIText"="@C:\\Windows\\System32\\inetcpl.cpl,-6801"
"Mask"=dword:00000800
"RegPoliciesPath"="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
"RegPath"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet   Settings"
"HKeyRoot"=dword:80000001
"HelpID"="iexplore.hlp#50511"
"DefaultValue"=dword:00000800
"ValueName"="SecureProtocols"
"Text"="TLS 1.2"
"Type"="checkbox"

The very same content exists also in the 32-bit portion of the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO.

I'm finally allowed to use the IISCrypt on the machine (it has been taken off from the production farm) and I can see only TLS 1.0 as supported SChannel Protocol - not TLS 1.1 nor TLS 1.2. Interesting enough, after the today's patching of the machine, the Internet Options dialog box started to show in the Advanced Tab/Security section all the enabled TLS Protocols (TLS 1.0, TLS 1.1 and TLS 1.2).

And the SSL Labs tests show the same result as previously: SSL Labs: "The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C"...

So, what else could be needed in order to finally get those TLS-protocols activated...?

Many thanks in advance!

Ramanagom

Ramanagom
  • 111
  • 1
  • 5
  • Have you tried using IISCrypto? https://www.nartac.com/Products/IISCrypto/ – longneck Aug 08 '18 at 23:50
  • @longneck, for administrative/security reasons, I'm not allowed to start and use any third-party applications on a production machine (my poor Win2k8 Server is a production machine). If I could be able to use it, this application would be my first choice to run for a solution... – Ramanagom Aug 09 '18 at 08:33
  • I have found this SF page (https://serverfault.com/questions/862509/check-if-windows-server-2008r2-can-use-tls-1-2?rq=1), where some information is available which relates to my question... Will check it asap... – Ramanagom Aug 09 '18 at 09:39
  • Did you enable the registry values per KB4019276? – Greg Askew Aug 09 '18 at 10:25
  • 1
    *for administrative/security reasons* But you're running an OS that's almost 10 years old? What are you going to do on January 14, 2020 when Windows Server 2008 is no longer supported? That's only 16 months away. Your organization is already planning shutting down/upgrading this VM and using a newer OS, isn't it? – Andrew Henle Aug 09 '18 at 12:16
  • @AndrewHenle Over 10 years old, actually; Server 2008 was released in February 2008 just after its corresponding client version Windows Vista. – Michael Hampton Aug 09 '18 at 12:37
  • @GregAskew no because the successor KB has been applied - KB4056564. And as I've already wrote in the article, I cannot install again any of the patches KB4019276 of KB4056564. I'm getting the message "The update does not apply to your system". – Ramanagom Aug 09 '18 at 14:32
  • @AndrewHenle+@MichaelHampton there are plans to move to more actual OS, but currently (and for the rest of Year 2018) the server remains on Win2k8SP2. – Ramanagom Aug 09 '18 at 14:35
  • If you do not create the registry settings described in KB4019276, **it will not work**. – Greg Askew Aug 09 '18 at 15:57
  • @GregAskew I've already mentioned in my post, I did the registry changes mentioned in that KB4019276. – Ramanagom Aug 09 '18 at 16:01
  • Actually when I asked you said no. You need to include the text output of: `reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /s` . – Greg Askew Aug 09 '18 at 16:08
  • @GregAskew probably I misunderstood your question - I meant I did not installed the KB4019276, because of its successor the KB4056564 was installed, but I've created all the registry entries mentioned in the KB4019276, because they were not there in the registry. I'll post the requested content as soon as I can. – Ramanagom Aug 09 '18 at 16:39
  • Have you tried to install the latest cumulative update for IE9? KB4339093? – bcs78 Aug 10 '18 at 06:52
  • What is the version number of "iexplore.exe"? You might have updated the SCHANNEL component of Windows but you probably still using the initial version of IE9 that's why it ignores the new TLS standards. – bcs78 Aug 10 '18 at 09:07
  • @bcs78 The MSIE 9 Version and Revision number are around the ones, which can be seen on the picture of the [Chris Vesper's](https://serverfault.com/users/2985/chris-vesper) post [here](https://serverfault.com/questions/590591/enable-tls-1-1-and-1-2-on-windows-server-2008-sp2). I can check the exact numbers and post them here... – Ramanagom Aug 10 '18 at 09:51
  • What does the TLS test show: https://www.ssllabs.com/ssltest – Greg Askew Aug 10 '18 at 12:25
  • Result in the SSL Labs: "The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C". This is very strange as it means, despite of the installed KB4019276 and KB4056564 and configured Registry, there is no TLS 1.2 active... Should be there another place where the TLS 1.2 must be "activated" prior to be available for the browsers? – Ramanagom Aug 10 '18 at 13:22
  • Looks like there is already an answer here: https://serverfault.com/a/908771/20701 – Greg Askew Aug 11 '18 at 16:11
  • @GregAskew unfortunatelly not - I've already linked this SF article in my post and originally wanted to post there my questions... But since I'm an noob in SF I can't... So please read my posts prior to post... Thank you. – Ramanagom Aug 11 '18 at 20:16
  • You referenced those links and still did not have the required settings in place. Let's see the output of `reg query "HKLM\SOFTWARE\Microsoft\InternetExplorer\AdvancedOptions\CRYPTO\" /s` – Greg Askew Aug 12 '18 at 13:12
  • @GregAskew I did updated my question (edits #4 and #5). – Ramanagom Aug 13 '18 at 08:29
  • Interesting enough, after the today's patching of the machine -- what was today's patching of the machine? we have the same issue this might help us. – Taylor Brown Oct 19 '18 at 17:19
  • 1
    @TaylorBrown, we've decommissioned the machine and replaced it with another one with newer operating system. I was unable to find a solution for the problem, so the replacement was the only option we have had the choice of... – Ramanagom Dec 07 '18 at 14:57
  • @Ramanagom thanks for your reply! i made some headway with this... the last IISCrypto update release was BEFORE Microsoft put out the update patch that allowed Windows Server 2008 to become 1.2 compliant. Because of this IISCrypto will never show checkboxes for 1.1 or 1.2. So we turned to our IE options as well to see if 1.1 and 1.2 would show up there. After a registry change (would link if i had it) we got those checkboxes to show in IE. We checked them off. Then went to howsmySSL.com and sure enough we were compliant. Hopefully this info is helpful to someone. – Taylor Brown Dec 07 '18 at 16:18
  • @TaylorBrown, thowse checkboxes were available (and checked) also in my case, but SSL Labs still showed no compliance with the TLS 1.1/1.2... Anyway, I'm glad it has function at your side...! – Ramanagom Dec 10 '18 at 12:07

0 Answers0