We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

IIS and TLS 1.2 [Answered]RSS

15 replies

Last post Nov 30, 2011 09:04 AM by satyenshah

  • IIS and TLS 1.2

    Feb 13, 2009 11:42 AM|peaceable_whale|LINK

    The Internet Explorer 8 in Windows 7 and Windows Server 2008 R2 seems to support TLS 1.2. Does IIS 7.5 support TLS 1.2?

    SSL IIS 7.5 TLS

    Franklin Tse
  • Rovastar Rovastar

    5495 Posts

    MVP

    Moderator

    Re: IIS and TLS 1.2

    Feb 13, 2009 03:06 PM|Rovastar|LINK

    deleted
    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: IIS and TLS 1.2

    Feb 13, 2009 10:35 PM|peaceable_whale|LINK

    When I select "Use TLS 1.2" only in IE8 (all other SSL/TLS versions are unchecked), https://localhost/ cannot be displayed.

    Franklin Tse
  • Re: IIS and TLS 1.2

    Feb 20, 2009 02:31 AM|Andrew Zhu - MSFT|LINK

    Hi,

    Have you tried in IE7?

    peaceable_whale

    https://localhost/ cannot be displayed.
     

    Is there any error message? What the log files tell?

    Regards

    Andrew Zhu
    Microsoft online ASP.NET support
    Please remember to click “Mark as Answer” on the post that helps you. This can be beneficial to other community members reading the thread.
  • Re: IIS and TLS 1.2

    Feb 20, 2009 03:02 PM|peaceable_whale|LINK

    Windows 7 does not have IE7.

    Franklin Tse
  • Re: IIS and TLS 1.2

    May 28, 2009 03:29 AM|jeremy_viegas|LINK

    <div>Windows 7 RC supports TLS 1.2 and is one of the first few implementations to add support. Windows Server 2008 R2 and IIS that ships with it also has support for TLS 1.2 as the underlying schannel supports TLS 1.2. It is not ON by default. See http://support.microsoft.com/kb/245030 to enable TLS 1.2. You have to add an Enabled key under SCHANNEL\Protocols\TLS 1.2\Server.</div>
  • Re: IIS and TLS 1.2

    May 28, 2009 04:17 AM|peaceable_whale|LINK

    Does the IIS of Windows 7 support the key? I have set the required key but Internet Explorer continues to report the connection error when only TLS 1.2 is enabled.

    Franklin Tse
  • Re: IIS and TLS 1.2

    May 28, 2009 01:03 PM|anilr|LINK

    I believe only the client side of schannel on win7/ws08r2 supports TLS 1.2, the server side of schannel does not.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: IIS and TLS 1.2

    Jul 18, 2009 03:46 AM|jeremy_viegas|LINK

    Schannel server side support is available for TLS 1.2. In fact there is a test server here: https://tls.woodgrovebank.com. Please follow the instructions from my previous post to enable TLS 1.2 and TLS 1.1. Also add a DWORD DisabledByDefault with value 0.

    Thanks,
    Jeremy 

  • Re: IIS and TLS 1.2

    Jul 18, 2009 06:59 AM|peaceable_whale|LINK

    Thanks! Adding DisabledByDefault=0 has succesfully enabled TLS 1.2 server support.

    The Microsoft Interop Test Server is good. However, could the Team also make a SSL/TLS test page like https://www.mikestoolbox.net/? That test page helps SSL/TLS client developer to debug their programs.

    Franklin Tse
  • Re: IIS and TLS 1.2

    Jul 18, 2009 09:23 PM|steve schofield|LINK

    Test

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: IIS and TLS 1.2

    Aug 24, 2009 12:11 PM|jeremy_viegas|LINK

    We'll look into updating the test server with something similar. Thanks for the suggestion.

  • Re: IIS and TLS 1.2

    Jun 27, 2010 12:49 AM|yngdiego|LINK

    I found a blog article that has a PowerShell script that enables TLS 1.2 for client and server SCHANNEL communications.

    http://derek858.blogspot.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html

     

  • Re: IIS and TLS 1.2

    Sep 22, 2011 11:01 AM|wappentake|LINK

     Why is Windows 2008 sever R2 not listed in the "Applies To" list in the KB article? I assumed that this was because it supported TLS 1.1 and 1.1 by default.

  • Re: IIS and TLS 1.2

    Nov 09, 2011 11:33 PM|kaushilz|LINK

    IIS 7 does not include support for TLS 1.2, in fact it relies on the Schannel component like any other microsoft product.

    By Default it is disabled on the server. So, if you want to enable server side support, then add the registry keys as suggested in the KB article http://support.microsoft.com/kb/245030

     Below is a snippet from the article:

    <Snippet>

    SCHANNEL Key

    Start Registry Editor (Regedt32.exe), and locate the following key in the registry.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

    SCHANNEL\Protocols SubKey

    To enable the use of the protocols that will not be negotiated by default (such as TLS 1.1 or TLS 1.2), change the DWORD value data of the DisabledByDefault value to 0x0 in each of the following registry keys under the Protocols key:

    •SCHANNEL\Protocols\TLS 1.1\Client

    •SCHANNEL\Protocols\TLS 1.1\Server

    •SCHANNEL\Protocols\TLS 1.2\Client

    •SCHANNEL\Protocols\TLS 1.2\Server

    <Snippet>

    Regards,

    Kaushal
    http://blogs.msdn.com/kaushal
  • Re: IIS and TLS 1.2

    Nov 30, 2011 09:04 AM|satyenshah|LINK

    I like this free tool from nartac.com for disabling SSL 2.0 and enabling TLS 1.2.  It has a one-click option for PCI compliance:

     

      isscrypto screenshot

    The tool also makes it simpler to protect against the September 2011 BEAST vulnerability by moving TLS/RC4 up to the top of the cipher list.