0

Question

How does TLS protocol differ on registry and browser level?

Context

Many companies are migrating from protocol TLS1.0 (disabling this) to TLS1.2 (enabling it). I'm not sure how this differs on the registry level, and on browser level.

Before my registry disabled TLS1.0 and enabled TLS1.2, my browser already showed TLS1.2 enabled via How’s My SSL. My machine did not accept connections to hardened Windows applications on TLS1.2 until I made registry changes though (enable TLS1.2 and SchUseStrongCrypto): Registry hardening

Reference

https://www.entrust.com/moving-tls-1-2/

George
  • 739
  • 1
  • 6
  • 22
  • There is a difference between having support for the protocol, and actually allowing the protocol to be used. The same is true the other way around. A SSL client may support SSL3, however it was disabled due to MD5 issues. – Yorick de Wid Aug 31 '16 at 10:21
  • @YorickdeWid Agreed, but my browser was showing TLS1.2 connection even before I enabled it in my registry. That puzzles me. – George Sep 01 '16 at 01:53

1 Answers1

1

The TLS protocol itself has nothing to do with your browser and/or registry. It is a documented standard that can be implemented by anybody. What you're looking at are some registry keys to enable or disable various protocol versions for applications using SChannel, the TLS implementation in Windows. As Yorick mentioned in a comment, SChannel implements the various TLS protocol versions, but they're not all enabled by default. Originally TLS v1.2 wasn't enabled for compatibility purposes due to the number of sites that suffered from version intolerance bugs, (it is enabled by default now) and in the past SSL v2 and SSK v3 were enabled by default because there were many servers that didn't support anything better. (And these are now disabled by default.)

Incidentally, you generally don't need to get into the registry editor to change these values. There's available on the "Advanced" tab of the "Internet Options" dialog in Internet Explorer.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • Thanks for the insights, Xander. It's clearer now, though what puzzled me was slightly different. My browser already had TLS1.2 enabled, but I could not access hardened windows application that had TLS1.0 disabled, until I enabled the TLS1.2 key in Secure Channel in registry. Is it right to conclude that these (browser and registry) are different settings independent on each other, and a company migrating to TLS1.2 should have both configured? – George Sep 01 '16 at 01:58