Join Log in
Score:0
Ahad Porkar avatar Server

Receiving TLS 1.0 and 1.1 from server despite disabling it in the registry and disabling FIPS compliant algorithms

ng flag
Ahad Porkar

Windows Server 2019 with IIS 10.

Used these scripts to disable TLS 1.0 and 1.1

New-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force ` | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

New-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force ` | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.0 has been disabled.'

New-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force ` | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

New-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force ` | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.0 has been disabled.'

Ran "IISCRYPTO" and result:

enter image description here

Tested with this OPENSSL:

enter image description here

Qualys Dallas website shows:

enter image description here

enter image description here

110
2 + 3
iis
ssl
cn flag
Peter Hahndorf
You have to reboot your server for your changes to effect the system.
1
Reply
cn flag
Greg Askew
You don't need to include the script. It would help for you to include the output of your check of the registry values.
1
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
Recent versions of OpenSSL can be and yours apparently is configured to disable TLS1.0 and sometimes 1.1; **your test** with `openssl s_client -tls1` giving error 0A0000BF is a local error and didn't actually attempt a 1.0 connection at all, so it **doesn't prove anything** about the server. For testing only (NEVER in prod) try adding `-cipher DEFAULT:@SECLEVEL=0`. (PS: the Qualys site is not 'Dallas'?!)
1
Reply
Score:3
Steffen Ullrich avatar Server
se flag
Steffen Ullrich

Note that the domain name you've tried to mask can still be extracted from the part of the certificate you show. From knowing the domain name it is possible to get the details you did not provide in your question.

Your IIS server is behind a CDN (ArvanCloud). The TLS is terminated at the CDN. This means that from the perspective of an external client (like SSLLabs) only the CDN settings are relevant, not the settings of your IIS server behind the CDN.

+ 0
Score:1
Nuno Chaves avatar Server
nl flag
Nuno Chaves

The below worked for me when disabling 1.0 and 1.1, setting 1.2 as default.

With a couple changes it may help you too.

Step 1: Enable TLS 1.2

From Notepad.exe, create a text file and name it TLS12-Enable.reg.

Copy then paste the following text:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

Save the TLS12-Enable.reg file.

Double-click the TLS12-Enable.reg file.

Click Yes to update your Windows Registry with these changes.

Step 2: Disable TLS 1.0 and 1.1

From Notepad.exe, create a text file and name it TLS1011-Disable.reg

Copy then paste the following text:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

Save the TLS1011-Disable.reg file.

Double-click the TLS1011-Disable.reg file.

Click Yes to update your Windows Registry with these changes.

Step 3: Configure .NET Security Settings

From Notepad.exe, create a text file and name it NET-UseSchannelDefaults.reg

Copy then paste the following text: Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

Save the NET-UseSchannelDefaults.reg file.

Double-click the NET-UseSchannelDefaults.reg file.

Click Yes to update your Windows Registry with these changes.

Restart your computer for the change to take effect.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.