Enable TLS 1.2 on windows server 2008 R2

3.4k views Asked by At

I am trying to enable TLS 1.2 on windows server 2008 R2. I have made registry entries to enable TLS 1.2 as mentioned in below link : http://forums.iis.net/t/1201043.aspx.

I have also tried powershell script in link : http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

While monitoring through wireshark i found that Client hello message is sending version TLS 1.2 and protocol is showing TLSv1. Server hello message is showing tlsv1 in protocol field and version TLS 1.0 .

I don't know if i am missing anything to enable TLS 1.2. I think i have made all the registry entries. Any help will be appreciated.

Above mentioned services are runnig in HASP server and running on 443 port.

Another strange thing is i am using IIS 7.5 server When i deploy another srvice on 8443 port. it is running on TLS 1.2 only from ie 9. Both IIS 7.5 service and Hasp server service are running in same machine. But throgh wireshark it is showing TCP protocol only. NO SSL protocl is used here https communication. How is it possible?

Also last point even if i disable SSLv3 from server registry or remove all entries. url still works on sslv3. Is it possible that we need to update some other files on windows server.?

1

There are 1 answers

0
Drasius On

Same issue - did all steps mentioned in documentation but no luck enabling TLS 1.2 on the Win 2008 or Win 2012 :/. Some info from logs:

Enabled SecurityProtocol`s: SystemDefault
.NET Runtime: 4.8.4069.0
  • Modified registries by disabling all others and enabling only TLS 1.2
  • required updates (kb3140245)
  • also tried to install "MicrosoftEasyFix51044"

Using "WebRequest.CreateHttp(url)" - still fails with error

ERROR - The request was aborted: Could not create SSL/TLS secure channel.

Updated answer:

At least for us answer was that Win 2008/2012 and API/service which with we was trying to communicate using TLS 1.2 - do not have same cypher suite - so is not able to communicate. From links information looks like there is only one way to upgrade windows to 2016+.

Adding Cipher suite to TLS1.2 of HttpClient of dotnetcore 3.1
https://learn.microsoft.com/en-us/answers/questions/227738/windows-server-2012-r2-tls-12-cipher-suites.html

In our case service was using/supporting (and windows not):

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A