Enable outbound TLS 1.1 and 1.2 on Windows Server

Published on Author JFLeave a comment

You’ve written a variety of .NET apps and are running into problems connecting to a third party site using .NET as the client creating outbound requests.

This post is not about configuring your server to receive requests using TLS 1.1, and higher. If you are looking for configuring IIS, etc, to meet PCI DSS or other security requirements, go and get IIS Crypto from Nartec for free. No need to play around in the registry. It is a truly great tool that you can rely on and will pass external scanners like  Qualys or Trustwave.

Let’s get started:

Windows 2012 R2 and Windows 2008 R2

In my case, I have a simple website which has it’s own sub-application (not just a virtual folder) which uses the DefaultAppPool which, in turn, uses .NET v4.0:

windows-2012-r2-apppool

This particular app creates outbound HTTPS requests and gets an answer, as well as content. With the standard, out of the box installation, the connection will fail and be rejected because the host server is only set to allow TLS 1.1. and higher connections.

We need to tell Windows to allow higher connections and, in fact, default to them.

Ready? It is so easy:

Open regedit. There are two places you need to add a key to get get strong cryptography:

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > .NETFramework > v4.0.30319

HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Microsoft > .NETFramework > v4.0.30319

The new DWORD to add: SchUseStrongCrypto
And it’s value: 1 (or as it appears 00000001)

As you can see below, I have exported the keys with the new values added. AspNetEnforceViewStateMac  is the default key that already exists.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

Note: this appears to be a parent configuration for all the SKUs keys beneath this folder. I have NOT tested with other versions of .NET that are in the SKUs key folder. If something fails, simply add the key to each one you are using.

Here are some images to help you along:

Have SchUseStrongCrypto already copied and ready to CTRL+v before you begin. Open regedit and scroll down to the first key HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > .NETFramework > v4.0.30319. Right click > New > DWORD (32-bit) Value. Paste SchUseStrongCrypto into where it says “New Value #1”. If you make a mistake, just delete the key, then try again.  

windows-2012-r2-addregkey

Then right click > Modify.

windows-2012-r2-modify-dword-value

Then simply change the default value of 0 to 1 and click Ok.

windows-2012-r2-update-dword-value

 

That’s it. 

Reboot and you’re done!

 

Additional Information you might need

Handy URLs for testing. Each of the following that I got from here you can use to test different security cyphers with a WebRequest:

 

More Windows information:

You may need to add/modify these keys.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.