Toggle navigation

Enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP

Articles \ Windows

As TLS 1.0 isn´t any longer "secure" every administrator should plan to make the switch to TLS 1.1 and TLS 1.2. Microsoft now released KB 3140245 which allows Administrators to specify which SSL protocols should be used when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used (e.g. in every Microsoft Office product as explained here).

According to KB 3140245 this can be controlled via DefaultSecureProtocols in  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp.

The possible options here are:

TLS 1.1:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000200

TLS 1.2:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000800

TLS 1.1 + 1.2 (Preferred option):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a00

Option 1 +2 are directly from the Microsoft website. However what most administrators do not know is that you can combine the hex values 00000200 and 00000800 (e.g. with an calculator in programmer mode) to get 00000a00. So option 3 would allow you to disable TLS 1.0 (as well as SSL 2.0 and 3.0) but allow TLS 1.1 and TLS 1.2 at the same time to allow a wider range of compatibility.

 

 

Comments (10)

CSR SysAdmin
  2. #359
This comment was minimized by the moderator on the site

Good article, but for what version of Windows does this apply?

I understand that only for Windows 7 and 2012; How can I make sure Windows 8 and 10 are using TLS 1.2 by default?

  1. Reply
Alan    CSR SysAdmin
  2. #455
This comment was minimized by the moderator on the site

Moot. Windows 8+ has TLS 1.1 and 1.2 available by default.

  1. Reply
Alan    Alan
  2. #457
This comment was minimized by the moderator on the site

Also this:

https://docs.microsoft.com/en-us/windows/desktop/secauthn/protocols-in-tls-ssl--schannel-ssp-

  1. Reply
Random visitor
  2. #392
This comment was minimized by the moderator on the site

The screenshot shows a value of 0xa80 for DefafaultSecureProtocols, but I believe it it should be 0xa00, while SecureProtocols (under the parent "Internet Settings" key) should be 0xa80.

  1. Reply
Leandro
  2. #448
This comment was minimized by the moderator on the site

Thanks! after do this change en de Registre, I must to restart? becasuse Its not working in my server.

  1. Reply
BastianW    Leandro
  2. #449
This comment was minimized by the moderator on the site

yes changing the SSL / TLS configuration require that you restart the server after implementing the registry.

  1. Reply
Alan    BastianW
  2. #456
This comment was minimized by the moderator on the site

Or just restart the WINHTTP service. If the key isn't working, check the SCHANNEL Reg key:

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

  1. Reply
Bastian W.    Alan
  2. #458
This comment was minimized by the moderator on the site

thanks, that's an interesting approach. I will give it a try the next time.

  1. Reply
bilal
  2. #545
This comment was minimized by the moderator on the site

i have server 2012 and SQL 2012 as well, i have 40 different DBs , is there any impact for this ?

  1. Reply
Bastian W.    bilal
  2. #546
This comment was minimized by the moderator on the site

It hardly depends on the applications and how they connect to your SQL server. It might be that the server isn´t offering a SSL/TLS connection and it also could be that the SSL/TLS connection is option and that the applications do not use it....

It hardly depends on the applications and how they connect to your SQL server. It might be that the server isn´t offering a SSL/TLS connection and it also could be that the SSL/TLS connection is option and that the applications do not use it. Technically you can change the setting, check if everything is working as expected and if some applications have connection issues, you can roll back the change, reboot and you are back to the normal level. Keep additonal noted that changing SSL/TLS will change the RDP connection as well. So check my blog for missing updated on the client/server level to avoid any connection issues (if you have all MS patches applied you should be safe here).

Read More
  1. Reply
There are no comments posted here yet

Leave your comments

  1. Posting comment as a guest.
Attachments (0 / 3)
Share Your Location