How do you disable TLS 1.0 for a specific website in IIS 7?

Question

Everything I can find on disabling TLS 1.0/1.1 and SSL 3.0 involves editing the registry to disable it at the server level.

Unfortunately our website communicates with a vendor application that still requires TLS 1.1, and disabling it at the server level breaks it for that connection.

Is there a way to disable TLS/SSL specifically for our website while leaving it active at the server level?

I think this qualifies as a duplicate, but I'm not totally sure. [Is it possible to force TLS 1.2 on an IIS Site](https://serverfault.com/questions/771161/is-it-possible-to-force-tls-1-2-on-an-iis-site) — Moshe Katz, Dec 09 '19 at 18:47

score 4 · Accepted Answer · answered Dec 09 '19 at 18:46

You can't do it.

The newest IIS (v10 - on Server 2019) lets you choose "Disable Legacy TLS" on a per-binding level, but the version you have cannot do it.

Realistically, there are only two ways to do what you want:

Upgrade to Windows Server 2019
Set up an edge reverse proxy to handle SSL termination for your website and send it back to your main server. The edge proxy will handle only modern TLS versions and the actual server will not be accessible from outside.

score 0 · Answer 2 · answered Dec 09 '19 at 21:20

0

You can always use IISCrypto, link below. Be careful, if you don't know what you are doing you can break shtuff.

https://www.nartac.com/Products/IISCrypto/ :D

answered Dec 09 '19 at 21:20

blackstabs

34
2

No, you can't. IISCrypto changes the system-wide SChannel settings, so it won't help with this question. – Moshe Katz Dec 11 '19 at 00:58

How do you disable TLS 1.0 for a specific website in IIS 7?

2 Answers2