There is always that one machine that you cannot upgrade on a current version because some dependencies outside of your control demand that specific configuration. You may postpone the inevitable, but one day you run out of luck. If your box is a web server, that day will come sooner than you think.
Out of the box, IIS on Windows Server 2008 R2 offers Transport Layer Security only in version 1 (TLS 1.0). That version is outdated and should not be used for securing any HTTPS traffic. Unfortunately, you do not see the version your browser uses to connect to a web server and so it may be that this protocol is still active. If this is the case, your users will not be able to visit your web site when all major browsers block that version at the beginning of 2020.
Is your web server affected?
You can check if your web site has this problem with the SSL Server Test or you open the developer tools of Chrome and check the console output:
The connection used to load resources from https://**** used TLS 1.0 or TLS 1.1, which are deprecated and will be disabled in the future. Once disabled, users will be prevented from loading these resources. The server should enable TLS 1.2 or later. See https://www.chromestatus.com/feature/5654791610957824 for more information.
Install the patch for TLS 1.2
When your server is up-to-date with all security patches offered by Microsoft, then you probably already have TLS 1.2 installed. In this case, you can jump to the next section and activate it.
Should you not have all patches installed, you can manually download KB4019276 from the Microsoft Update Catalog.
Activate TLS 1.2
You need to modify the registry to activate TLS 1.2. Therefore, you should first make a backup. Only when you have a backup should you open regedit and go to the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
There you need to create a few entries. You can do that manually and follow the steps in this little How-To by QuoVadis. Be careful, it will only work if you type all those words correct and make no spelling errors.
A much simpler approach is to copy those lines into a file, name it tls12.reg
and run it as an administrator:
1 2 3 4 5 6 7 8 9 |
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 |
This will create the keys and values as you need them to activate TLS 1.2.
As a final step, you need to reboot your machine. If you now visit your site, Chrome should no longer complain about TLS 1.0 or 1.1. A final check in SSL Server Test should show you that TLS 1.2 is active.
Clean up
As soon as you no longer need TLS 1.0 and the other outdated protocols, you should disable them. You can use the same keys as you used to activate TLS 1.2, but you need to invert the values. DisabledByDefault must now be 1 while Enabled must be a 0.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 |
Conclusion
The blocking of TLS 1.0 and 1.1 will give a nasty little surprise in January 2020. If you still run a Windows Server 2008 R2 machine, you should take a few minutes now and activate TLS 1.2. This will make your start into 2020 much less painful.
This actually applies not to 2008R2 but to 2008 SP2!
Hi Stanislav,
Nice that it works with 2008 SP2 as well. I am pretty sure that I got the version of the server I made the change on right:
Regards,
Johnny
It works fine on fully updated Server 2008 R2 Standard SP1. Thank you!
Guys that patch # KB4019276 is only for Win Server 2008 not for 2008r2, right?
I tried installing it on 2008r2 but returned “cannot install”
So I only added the TLS1.2 keys to registry and set them correctly.
But still Chrome reports the same security issue and when i checked the developer panel, it is connected on TLS1.0 still !!
Hi Nab,
Did you reboot your server? The registry changes will only work after a reboot.
If this reboot does not work, I only can suggest you install all other (security) updates you can get for your server and reboot once more. To what I found on Google, there are multiple changes and cumulative updates that install TLS 1.2, maybe one of those will help your server as well.
Regards,
Johnny
Hey Johnny, yes I had rebooted the server each time after editing the registry.
I will search for updates.
BTW, this server is on cloud and runs a cloud version OS.
I was thinking that TLS1.2 has naturally been an embedded part of first release of Windows 2008 r2 !
Thank you!
Nab
I believe the correct patch for Windows Server 2008 R2 is KB3140245.
In order not to depend on a specific KB, you can download all pending updates as well, and make changes to regedit.
I did it today and it worked.
Grateful for the post
Obrigado.
Eu já possuía o update instalado, faltou apenas alterar o registro.
Fiz o procedimento e deu tudo certo.
Obrigado pela ajuda 😉
By upgrading from TLS 1.1. to TLS 1.2 in Windows 2008 R2 SP1, Will it create any impact on application running on Dotnet 4.5 version. Could anyone pls confirm or post a reply immediately??
Unfortunately, I don’t know why, even with all updates installed and the registration changed, I continue to be informed that 1.0 and 1.1 are active and 1.2 is not active. I even tested what is on the site https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11 )? redirectedfrom=MSDN and it still didn’t work.
Thanks a lot, it works for me. My website connection is now secured
We have set up new Dynamics CRM 2013 instances on new Windows/SQL 2012 servers with a new domain enforcing security protocols HTTPS and TLS 1.2. Our old server setup was using HTTP and TLS 1.0.
ASK : Is security protocols HTTPS and TLS 1.2 supprt Dynamics CRM 2013
Hi Raghava,
I have no knowledge about Dynamics CRM 2013. From the age of the version I suspect it will only support TLS 1.2 with an additional patch – if it supports it at all.
Regards,
Johnny
What to do first: Registry change or Update?
First install the update. Otherwise your web server no longer works because it lacks the support for TLS 1.2.
Thanks a lot.