0

I have been trying to disable TLS1.0 and TLS1.1, but having no success in it. We have already disabled them in regedit, with this, and rebooted the systems.

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

We have made sure the values where saved correctly, and we do support TLS1.2 and it is enabled. https://www.ssllabs.com/ssltest/analyze.html?d=www.gocare.biz this is where we saw that they were still enabled. We are using Windows Server 2012 R2. We only want the server to only accept TSL 1.2 and TSL 1.3. We don't know what else would could do for it to be disabled. Thanks

Joshua Sevilla
  • 1
  • 1
  • I have not clear the problem that you are facing. Are you developing a .NET app and you want it to connect only to TLS 1.2? Or do you have a web server and you want it to accept only TLS 1.2 connections? Or do you want to disable system-wide the support for version != TLS 1.2? – Matteo Umili Sep 03 '20 at 15:27
  • Please [edit] your question to tell us *how you know* TLSv1.0 and TLSv1.1 are still enabled. If your IIS server is on the public net, https://www.ssllabs.com/ssltest/analyze.html will tell you what's enabled. It's harder to tell for clients. What version of IIS / Windows ? – O. Jones Sep 03 '20 at 15:35
  • It was probably done in the Security patch that Microsoft sent out in June. It will only disable a server from accepting a TLS 1.0/1.1 request. It will not stop applications from requesting TLS 1.0 and 1.1. The request mode is part of the Net Library (or other applications) and is just an enumeration in the request. You have to modify the client to add TLS 1.2 (probably using the default in the Net library). The Net library default in new version of Net is the latest TLS version, but old Net libraries are still default to 1.0/1.1. – jdweng Sep 03 '20 at 15:45

0 Answers0