Tuesday, July 04, 2017

2012 r2 support TLS 1.2, but defaults to SSL 3.0 + TLS 1.0.



TL;DR: TLS 1.1 and TLS 1.2 are supported, but disabled by default for most “WinHTTP” client applications, including .NET and hence PowerShell. 

Your Server 2012 r2 should be updated to change the defaults or this issue will reoccur, often.

Background information:
Microsoft .NET supports TLS 1.2, but defaults to SSL 3.0 + TLS 1.0.

Technical Recommendations:
Add the following registry keys to your Windows Server instances. Either save this is a “.reg” file, or alternatively deploy the 4 values using Group Policy Preferences.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a80

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a80

For servers where PowerShell has TLS 1.2 issues, but enabling it at the registry level causes incompatibility issues, the following snippet can be used:

# EITHER: Enable all current TLS variants:
[System.Net.ServicePointManager]::SecurityProtocol = 'Tls,Tls11,Tls12'

# OR: Enforce TLS 1.2 only and also check Certificate Revocation Lists (CRLs):
[System.Net.ServicePointManager]::SecurityProtocol = 'Tls12'
[System.Net.ServicePointManager]::CheckCertificateRevocationList  = $true  





No comments:

Blog Archive