Enable TLS 1.1 and TLS 1.2 on Windows Server 2008 R2 and IIS 7.5.
Enable TLS 1.1 and TLS 1.2 on Windows Server 2008 R2 and IIS 7.5
You are probably aware that SSL has been hacked – that is versions of SSL before 3.2 and TLS 1.1 are vulnerable. Thankfully Windows Server 2008 R2 comes with the capability to support TLS 1.1 and TLS 1.2; however, they are not enabled by default. I found some decent information on how to enable TLS 1.1 and TLS 1.2, but no straightforward instructions on how to do so. The bottom line is you have to edit the registry then reboot the server. Here are the straightforward steps to enable TLS 1.1 and TLS 1.2 on a Windows Server 2008 R2 server:
- Please backup your registry.
- Start the registry editor (
regedit
) - Browse to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
- Add the following keys:
TLS 1.1
andTLS 1.2
- Within each of the
TLS 1.1
andTLS 1.2
keys (they look like folders), add these keys:Client
andServer
- Within each of the
Client
andServer
keys, create the following DWORD values:DisabledByDefault
with a value of0
Enabled
with a value of1
- Reboot the server.
You should now have registry settings that look like:
I tested the new settings by configuring Internet Explorer 9 to only use TLS 1.2 and connected to a secure page on one of the websites on my server. Here is where you configure IE9 to do this:
Do your customers a favor (and thus yourself) by allowing them to use a more secure version of SSL/TLS on your website. Configure your IIS server to use TLS 1.1 and TLS 1.2. Hopefully all web browsers will support these versions in the very-near future – but at least Internet Explorer 9 already does.