none
Disabling TNSv1.0 breaks compatibility with IE 9 and 10

    Question

  • Hello..

    I'm in a bit of a dilemma with security and compatibility being at odds with each other. In order to mitigate the growing list of security problems with TLSv1, I need to disable version 1 on our server (I know how to do this, so this is not a server issue). The problem is, IE 9 and 10 do not support TLSv1.1 or TLSv1.2 by default. These can be turned on manually in Internet Options/Advanced/Security. 

    And there's the problem: it has to be enabled manually. Asking users to go through this process in order to use our sites will most likely end up in a lost sale. And if a customer disables something that should not be disabled in the security settings, that can lead to more problems for them.

    Where's the middle solution here? Most of our traffic is on IE 10. Disabling TLSv1 will shut those customers out. Does anyone know if there's an update around the corner that might enable v1.1 and 1.2 by default?

    Thank you in advance.


    Marc

    Wednesday, December 17, 2014 1:44 PM

Answers

  • Hi Morris,

    My apology.

    The related registry is the following one:

    [HKLM|HKCU]\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    Find or create the DWORD value SecureProtocols, then modify it with the proper value:

    Possible Vaules: Combinations of Secure Protocols:

    0 => Do not use secure protocols

    8 => Only Use SSL 2.0

    32 => Only Use SSL 3.0

    40 => SSL 2.0 and Use SSL 3.0

    128 => Only Use TLS 1.0

    136 => Use SSL 2.0 and TLS 1.0

    160 => Use SSL 3.0 and TLS 1.0

    168 => Use SSL 2.0, SSL 3.0 and TLS 1.0

    512 => Only use TLS 1.1

    520 => Use SSL 2.0 and TLS 1.1

    544 => Use SSL 3.0 and TLS 1.1

    552 => Use SSL 2.0, SSL 3.0 and TLS 1.1

    640 => TLS 1.0 and TLS 1.1

    648 => Use SSL 2.0, TLS 1.0 and TLS 1.1

    672 => Use SSL 3.0, TLS 1.0 and TLS 1.1

    680 => Use SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1

    2048 => Only use TLS 1.2

    2056 => Use SSL 2.0 and TLS 1.2

    2080 => Use SSL 3.0 and TLS 1.2

    2088 => Use SSL 2.0, SSL 3.0 and TLS 1.2

    2176 => TLS 1.0 and TLS 1.2

    2184 => Use SSL 2.0, TLS 1.0 and TLS 1.2

    2208 => Use SSL 3.0, TLS 1.0 and TLS 1.2

    2216 => Use SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.2

    2560 => TLS 1.1 and TLS 1.2

    2568 => Use SSL 2.0, TLS 1.1 and TLS 1.2

    2592 => Use SSL 3.0, TLS 1.1 and TLS 1.2

    2600 => Use SSL 2.0, SSL 3.0, TLS 1.1 and TLS 1.2

    2688 => TLS 1.0, TLS 1.1 and TLS 1.2

    2696 => Use SSL 2.0, TLS 1.0, TLS 1.1 and TLS 1.2

    2720 => Use SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2

    2728 => Use SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2

    Here is a TechNet blog talking about this (Language is in German):

    AS: 59.-63. SSL 2.0 / SSL 3.0 / TLS 1.0 / TLS 1.1 / TLS 1.2 verwenden

    Hope the information above is helpful.

    Best regards


    Michael Shao
    TechNet Community Support

    Thursday, December 25, 2014 3:10 AM
    Moderator

All replies

  • Hi,

    Could we take use of group policy to make changes with registry to enable TLS?

    Please check this KB article:

    Microsoft security advisory: Update for Microsoft EAP implementation that enables the use of TLS: October 14, 2014

    Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, and Windows RT for the Microsoft Extensible Authentication Protocol (EAP) implementation that enables the use of Transport Layer Security (TLS) 1.1 or 1.2 through the modification of the system registry. To enable TLS after you install this security update, you must add a DWORD value that is named TlsVersion to the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13

    The value of this registry key can be 0xC0, 0x300, 0xC00, or any OR'ed combination of these values if you want to support multiple TLS versions. The configuration can be done on both the EAP client and the EAP server. 

    Note If the EAP client and the EAP server are misconfigured so that there is no common configured TLS version, authentication will fail, and the user may lose the network connection. Therefore, we recommend that only IT Administrators apply these settings and that the settings are tested before deployment.

    More details, please check the article above.

    If I misunderstand something, please let me know.

    Best regards


    Michael Shao
    TechNet Community Support

    Thursday, December 18, 2014 6:05 AM
    Moderator
  • Hello...

    Thank you for your reply. Unfortunately, Group Policy is not an option, as the computers needing the modification are out of the scope of our influence. We can not make changes to a customer's registry. They are not on our internal LAN, nor are they part of our domain.

    However, the update that you sent appears very interesting. I had not heard about it. I'll apply it to some test machines in house and see how things go. If this works, we may put a link to the download for our customers.

    Do you know if this update has been released through Windows Update? If so, there's a good chance that many of our customers may already have it installed (which would be VERY COOL).

    Thank you again.

    Thursday, December 18, 2014 1:19 PM
  • I tried the suggested update and then tested here:

    https://www.ssllabs.com/ssltest/viewMyClient.html

    On Windows 7 with IE 9 and IE 10, the patch did nothing to resolve the issue. 

    IE 10/Windows 7 TLSv1.2 Fail after patch

    Thursday, December 18, 2014 1:59 PM
  • Hi Morris,

    Apologize for the late reply. What is your current situation?

    I will try to find if there are any others ways to deal with the current situation, any update, I will post back.

    Best regards


    Michael Shao
    TechNet Community Support

    Monday, December 22, 2014 2:03 AM
    Moderator
  • Hi Morris,

    There is a policy that could enable the use of TLS 1.1 and TLS 1.2 together.

    turn off encryption support

    Under:

    Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support

    The options are listed as below:

    See some reference at https://technet.microsoft.com/en-us/library/security/3009008.aspx

    We may configure this policy, and for the Users not in the domain, could we suggest to make the local policy changes to meet the requirements?

    Best regards


    Michael Shao
    TechNet Community Support

    Wednesday, December 24, 2014 10:13 AM
    Moderator
  • If your suggestion is to have every one of our customers make the policy changes locally, that is not feasible, nor possible (I have stated this previously, but will reiterate):

    We have customers from all over the United States. Some are from organizations, some are home users, some are school/education based; they all cover a broad variety of user types. Some may have administrative access to their PCs (and therefore might be able to make the change). Some might not have admin access. Some might have the access, but lack the knowledge, even with step-by-step instructions. 

    For users who see a "to place an order, you must first open the MMC and change your system policy", or go into Internet Options and enable TLSv1.2, the most likely response will be "I'm outta here," with the potential customer going to a competitor. 

    Does this make sense? I'm trying to convey that we cannot change every one of our customers' computers' TLS settings. An update from Microsoft that actually brings IE 9 and 10 to TLSv1.2 would be very grand.

    Wednesday, December 24, 2014 4:15 PM
  • Hi Morris,

    My apology.

    The related registry is the following one:

    [HKLM|HKCU]\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    Find or create the DWORD value SecureProtocols, then modify it with the proper value:

    Possible Vaules: Combinations of Secure Protocols:

    0 => Do not use secure protocols

    8 => Only Use SSL 2.0

    32 => Only Use SSL 3.0

    40 => SSL 2.0 and Use SSL 3.0

    128 => Only Use TLS 1.0

    136 => Use SSL 2.0 and TLS 1.0

    160 => Use SSL 3.0 and TLS 1.0

    168 => Use SSL 2.0, SSL 3.0 and TLS 1.0

    512 => Only use TLS 1.1

    520 => Use SSL 2.0 and TLS 1.1

    544 => Use SSL 3.0 and TLS 1.1

    552 => Use SSL 2.0, SSL 3.0 and TLS 1.1

    640 => TLS 1.0 and TLS 1.1

    648 => Use SSL 2.0, TLS 1.0 and TLS 1.1

    672 => Use SSL 3.0, TLS 1.0 and TLS 1.1

    680 => Use SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1

    2048 => Only use TLS 1.2

    2056 => Use SSL 2.0 and TLS 1.2

    2080 => Use SSL 3.0 and TLS 1.2

    2088 => Use SSL 2.0, SSL 3.0 and TLS 1.2

    2176 => TLS 1.0 and TLS 1.2

    2184 => Use SSL 2.0, TLS 1.0 and TLS 1.2

    2208 => Use SSL 3.0, TLS 1.0 and TLS 1.2

    2216 => Use SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.2

    2560 => TLS 1.1 and TLS 1.2

    2568 => Use SSL 2.0, TLS 1.1 and TLS 1.2

    2592 => Use SSL 3.0, TLS 1.1 and TLS 1.2

    2600 => Use SSL 2.0, SSL 3.0, TLS 1.1 and TLS 1.2

    2688 => TLS 1.0, TLS 1.1 and TLS 1.2

    2696 => Use SSL 2.0, TLS 1.0, TLS 1.1 and TLS 1.2

    2720 => Use SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2

    2728 => Use SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2

    Here is a TechNet blog talking about this (Language is in German):

    AS: 59.-63. SSL 2.0 / SSL 3.0 / TLS 1.0 / TLS 1.1 / TLS 1.2 verwenden

    Hope the information above is helpful.

    Best regards


    Michael Shao
    TechNet Community Support

    Thursday, December 25, 2014 3:10 AM
    Moderator
  • I think we're having a problem with communication. Let me restate, again:

    We are unable to make these changes on our customers' computers.

    The only way to fix this globally, in my opinion, is for Microsoft to release an update to enable the extra protocols to shore up security for the end user.

    Monday, December 29, 2014 4:16 PM
  • Hi Morris,

    I apologize again for my misunderstanding.

    I thought that you could make a script to enable the settings that suits your scenario. For the global changes, as the users and other server side as yours may have different requirements regarding TLS settings, the updates that to enable the TLS settings seems to be not availavle, through Windows Updates.

    Besides, TLS 1.2 is enabled by default in Internet Explorer 11, if Internet Explorer 11 is considered as an update.

    Best regards


    Michael Shao
    TechNet Community Support

    Tuesday, December 30, 2014 2:08 AM
    Moderator
  • Marc,

    Did you ever find a solution to this issue?

    I have exactly the same question. Our ASV says we need to either disable TLSv1.0 or "demonstrate that [we] have [a] formal risk mitigation and migration plan." Since we do not want to lose the business of IE 10 users and it is not reasonable to get customers to enable their own IE 10 or switch to a newer or different browser, we want to take appropriate steps to mitigate the risk.

    Regards,
    Cam



    • Edited by C_A_M Monday, May 04, 2015 5:24 PM
    Monday, May 04, 2015 5:23 PM
  • Unfortunately, no. I think the only way right now is to wait for people to "upgrade" to IE 11 and beyond.
    Tuesday, May 05, 2015 12:40 PM