Toggle navigation

Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP

Articles \ Windows4 Comments

As TLS 1.0 isn´t any longer "secure" every administrator should plan to make the switch to TLS 1.1 and TLS 1.2. Microsoft now released KB 3140245 which allows Administrators to specify which SSL protocols should be used when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used (e.g. in every Microsoft Office product as explained here).

According to KB 3140245 this can be controlled via DefaultSecureProtocols in  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp.

The possible options here are:

TLS 1.1:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000200

TLS 1.2:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800

TLS 1.1 + 1.2 (Preferred option):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a00

Option 1 +2 are directly from the Microsoft website. However what most administrators do not know is that you can combine the hex values 00000200 and 00000800 (e.g. with an calculator in programmer mode) to get 00000a00. So option 3 would allow you to disable TLS 1.0 (as well as SSL 2.0 and 3.0) but allow TLS 1.1 and TLS 1.2 at the same time to allow a wider range of compatibility.

 

 

Comments

    CSR SysAdmin

    Good article, but for what version of Windows does this apply?

    I understand that only for Windows 7 and 2012; How can I make sure Windows 8 and 10 are using TLS 1.2 by default?

      Attachments
    Your account does not have privileges to view attachments in the comment
    1. Reply
    2. #359
    There are no comments posted here yet

    Leave your comments

    Attachments (0 / 3)
    Share Your Location