Sep 23, 2011
tom

How to enable TLS 1.1, 1.2 in IIS 7.5

Question

We want to support web browsers utilizing TLS 1.1 and 1.2, which has been apparently implemented by Microsoft, but is turned off by default.

So I went searching on Google and discovered some pages everyone seems to be following:

http://support.microsoft.com/kb/245030

http://derek858.blogspot.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html

However! It doesn’t appear to be working for me. I have set both DWORD vaules for DisabledByDefault and Enabled for TLS 1.1 and 1.2. I can confirm my client is attempting to communicate with TLS 1.2, but the server only responds with 1.0. I’ve restarted IIS, but it didn’t change the situation.

Microsoft points out: “WARNING: The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure that contains the data for an Schannel credential.”

Well, that’s very vague to me. I can’t find anywhere where SCHANNEL_CRED is defined or set, all I can determine that it’s a structure defined in a Microsoft library. That’s my only guess for why this isn’t work, yet I can’t find enough information on it to determine if it is the true problem.

Answer

Reboot. Changes to Schannel settings do not take effect until the system is rebooted.

Related posts:

  1. Using trusted certificate key and crt files to enable TLS in Sendmail
  2. Do I need to enable TLS support for postfix?
  3. How can I send email notifications from an app that does not support TLS when my service requires TLS?
  4. Require TLS on RDP for all connections
  5. How to inspect remote SMTP server’s TLS certificate?

Leave a comment