6

I got some issues getting the TLS 1.2 protocol running on one of our Windows Server 2012 machines. I checked this using ssllabs.com by Qualys and also tested with a powershell script and the linux tool "cipherscan".

The server hosts one Exchange 2013 SP1 (CU4) Server, with IIS 8.0. The certificate used is issued by our company CA. Another Windows Server 2012 with the same Exchange 2013 SP1 (CU4) installation works perfectly with the same certificate.

As I could research Windows Server 2012 uses TLS 1.2 by default. However this setting can be configured using the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
DWORD "DisabledByDefault" Value "0x00000000"
DWORD "Enabled" Value "0x00000001" or "0xffffffff"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
DWORD "DisabledByDefault" Value "0x00000000"
DWORD "Enabled" Value "0x00000001" or "0xffffffff"

Microsoft also mentions that this local group policy setting might help:

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

As this setting should be set inside the operating system Microsoft also recommends to enable TLS 1.2 usage in the Internet Options of Internet Explorer.

I tried all of these 3 options, but none worked for me. Just to make this clear. The server (not just the IIS Service) was rebooted serveral times after enabling each of the settings.

Most guides and Scripts (e.g. powershell) just set the corresponding keys in the registry. I don't know exactly what else I could try.

I hope that somebody got the clue where to enable this.

Kevin
  • 441
  • 2
  • 6
  • 10
  • 1
    Check for lastest windows update . Because microsoft failled an update with schannel (tls subsystem) and changed the order for cipher . There is a tool to check cipher order in gui : https://www.nartac.com/Products/IISCrypto/ for me he work everytime (try on test machine if you don't trust the exe) . – YuKYuK Feb 16 '15 at 12:59
  • I already tried that tool, and it tells me that TLS 1.2 is enabled. I also tried to disable it --> reboot and enable it again --> reboot. If this is important I might edit the question and post the order, just tell me. However do you know which Windows update in particular I should look for, as I can't just install all updates before the next maintainence window. – Kevin Feb 16 '15 at 13:14
  • 2
    KB2992611 is the one with fail cipher order (bug on a lot of client) . They updated it . For more details : https://support.microsoft.com/kb/2992611 – YuKYuK Feb 16 '15 at 13:20
  • Thank you. This particular update is in fact missing on our server. I'll try that and report the result. – Kevin Feb 16 '15 at 13:25
  • 1
    Hello YuKYuK. The KB2992611 update solved my problem. The intersting fact although is that the other Exchange server also is missing that update. It works however. – Kevin Feb 16 '15 at 13:34
  • Have you seen this: https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and/ba-p/607761 – Ace Sep 02 '22 at 03:22

1 Answers1

0

One other option to enable SSL/TLS on your Windows Server is to use SSL crypto to updates the registry keys.

Furthermore you have the possibility to manage the cipher suite (Ciphers, Hashes and Key Exchanges).

https://www.nartac.com/Products/IISCrypto

Alexandre Roux
  • 460
  • 6
  • 19