Unable to Disable TLS 1.0 Protocol on Windows 10 Pro

All replies

• 

  

  0

  Sign in to vote

  Hi bc2,

  Based on my research, Microsoft Windows NT Server stores information about  different security-enhanced channel protocols that Windows NT Server supports. This information is stored  in the following registry key:

  HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  Each key holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this,  you create a new DWORD value in the server subkey of the protocol. You set the DWORD value to "00 00 00 00."

  For more information, please refer to How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

  So, in your scenario, to disable the TLS 1.1 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. To enable the protocol, change the DWORD value to 1. See: TLS/SSL Settings

  If you would like to check if TLS 1.0 is disabled, you can try to use a open source packet analyzer, for example Wireshark to listen the protocol which the computer is using. And you can also try to refer this article to get more information about TLS 1.0 Deactivation Test.

  If you still have any questions, please feel free to ask.

  Regards,

  Pirlo Zhang

  ---

  MSDN Community Support
  Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

  Monday, January 9, 2017 2:49 AM
• 

  

  0

  Sign in to vote

  I'm trying to disable TLS 1.0. The image in my original question show my registry configured per the guidance document you referenced. That referenced document is for Windows Server 2008 and IIS 7 and I'm using Windows 10 and IIS 10. I have run the SSLLabs test which indicates that it is still active, using ffffffff instead of 00000001 in the registry key seems to make a some difference in the SSLLabs test:

  https://www.ssllabs.com/ssltest/viewMyClient.html

  And I interface to a vendor that requires PCI compliance, which is why I'm trying to turn it off, that is telling me that I'm still using a TLS 1.0 handshake. Thanks.

  ---

  ...bc

  Monday, January 9, 2017 5:59 PM
• 

  

  0

  Sign in to vote

  Hi bc2,

  Please try to go to Internet properties->Advanced->uncheck TLS1.0

  

  

  Regards,

  Pirlo Zhang

  ---

  MSDN Community Support
  Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

  • Proposed as answer by Pirlo Zhang Tuesday, January 24, 2017 7:36 AM

  Tuesday, January 10, 2017 8:46 AM
• 

  

  0

  Sign in to vote

  Hi bc2,

  If your issue is solved please mark the appropriate answer as Mark as answer. This will help other members to find a solution if they face the same issue.

  Thanks for your understanding and support.

  Best Regards,

  Pirlo Zhang

  ---

  MSDN Community Support
  Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

  Tuesday, January 24, 2017 7:36 AM
• 

  

  0

  Sign in to vote

  That didn't solve it. When I handshake with the credit card company, they are still detecting the TLS 1.0 and breaking the handshake.

  ---

  ...bc

  Wednesday, January 25, 2017 7:38 PM
• 

  

  0

  Sign in to vote

  I turned this into a support case and we found the answer. I had followed all of the guidance for editing the registry and advanced internet settings. MS used a snifter and determined that I was not sending on TLS 1.0, that TLS 1.0 was closed and 1.1 was open. I was still getting a Send Failure from the webexception status.

  The application I'm working with was originally a .net 4.0 and was increased to 4.5. The CC processor gave me this line of code from another partner:

                      System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

  However, I could not enumerate TLS12 but only TLS. Which when you hovered, told you it was TLS 1.0. So I determine the enumerated valued for .TLS11 was 768. I put this line of code in my application right before the handshake with the CC processor forcing it to TLS 1.1

                      System.Net.ServicePointManager.SecurityProtocol = CType(768, SecurityProtocolType)

  This solved the problem.

  Enumerated article:

  http://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5

  ---

  ...bc

  
  

  • Marked as answer by bc2 Monday, February 13, 2017 6:00 PM
  • Edited by bc2 Monday, February 13, 2017 6:04 PM

  Monday, February 13, 2017 5:59 PM