none
SHA256 support and TLS 1.2 compatibility in Windows 2012R2 RDS RRS feed

  • Question

  • Hi fellow Remote Desktop Services admins,

    I'm becoming increasingly confused on how well, and exactly under what requirements Windows Server 2012 R2 running the RDS role, supports the use of TLS 1.2 with clients ranging from Win. XP SP3 to Win. 8.1.

    So what I understand is:

    That TLS 1.2 is supported and enabled by default on Windows Server 2012R2. So I could buy a certificate that uses the SHA256 hash algorithm.

    - But am I right that clients ranging from Windows XP SP3 up to Windows 8.1 supports this scenario?

    - Would it be necessary to manually enable TLS 1.2 on these clients, in order for them to be able to negotiate the use of TLS 1.2?

    - If TLS 1.2 isn't manually enabled on, let's say a Windows 7 client, would the RDS server and the client be able to negotiate the use of TLS 1.0 instead - now that the certificate is SHA256? Because as I understand it, SHA256 is not supported by TLS 1.0. Therefore the same certificate would have to support SHA1, as the communication with a TLS 1.0 client would require SHA1. Correct?

    What I have done

    Crawled through forums, Wikipedia, blogs and search-machine results. In order to understand possible scenarios and what RDS in Win. 2012R2 supports. But I find it quite hard to get a solid understanding on how things exactly are.

    For example: https://technet.microsoft.com/en-us/library/dd320345(v=ws.10).aspx - applies to Win. 2012. But does it also apply to 2012R2? Out of TLS 1.0 and TLS 1.2 - TLS 1.0 is the only one mentioned.

    At the same time though, this blog: http://blogs.msdn.com/b/openspecification/archive/2012/07/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-2.aspx - seems to indicate that RDP on at least Win. 2012 server, pointing to the posts date, supports TLS 1.2.

    However it is really hard to find a clear-cut specification from Microsoft on this. I would really appreciate someone that could clarify this for me. Especially because SHA1 certificates is being phased out (start 2017 if I'm not mistaken) and I would therefore strongly prefer to invest in a SHA256 type certificate.

    Looking forward to hear from you.

    Thank you very much.


    Red Baron

    Friday, May 29, 2015 4:10 PM

Answers

  • Hi,

    However I still need to need to know if it will plausible to buy a sha256 certificate and use it both for TSL1.0 communication via RDP and then use the same certificate for a website where TSL1.1 or TLS1.2 communication would be required.

    Yes, you can buy a SHA256 certificate for TLS 1.0, TLS 1.1 and TLS 1.2 communication. However, using SHA256 certificate as SSL certificate, clients must support SHA256 hash algorithm to be able to validate the SSL certificate.

    You will need to install this hotfix below on your Windows XP and Windows Server 2003 clients for them to support SHA2 hash algorithms (SHA256, SHA384, and SHA512) in the X.509 certificate validation.

    Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption

    https://support.microsoft.com/en-us/kb/968730?wa=wsignin1.0

    In addition, ensure that the server supports TLS 1.0 since Windows XP & Windows Server 2003, Windows Vista & Windows Server 2008 don’t support SSL/TLS versions higher than TLS 1.0.

    Secure channel compatibility support with SSL and TLS

    http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/07/secure-channel-compatibility-support-with-ssl-and-tls.aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 15, 2015 2:49 AM
    Moderator

All replies