none
How to Enable TLS 1.3

    Question

  • I enabled TLS 1.1 & 1.2 using the documentation http://tecadmin.net/enable-tls-on-windows-server-and-iis/

    1) However,  I need to now enable TLS 1.3. Are there any documentation for this?

    2) I also need documentation on what OS and .NET supports each version. We have OS 2008 R2 & 2012. We also have .Net 4.0, 4.5 & 4.5.2. Is there a grid that can summeraize what versions supports which version of TLS?

    3) Can I only enable TLS 1.2 & not 1.1? Or 1.3 and not 1.2?

    Monday, April 13, 2015 3:16 PM

Answers

  • Hi,

    Sorry for the delay reply.

    These are not enabled by default and should be enabled via registry.

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, May 12, 2015 8:47 AM
    Moderator

All replies

  • Hi,

    I did not find any MS official article about how to enable TLS 1.3

    https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS12

    For the TLS version, you could refer to the WIKI article:

    http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3_.28draft.29

    More information you could refer to:

    TLS/SSL Settings

    https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS11

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, April 16, 2015 5:28 AM
    Moderator
  • SO by default are TLS 1.0, 1.1, and 1.2 enabled?

    Or do I need to create the registry keys?

    Thursday, April 16, 2015 8:25 PM
  • Hi,

    Sorry for the delay reply.

    These are not enabled by default and should be enabled via registry.

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, May 12, 2015 8:47 AM
    Moderator
  • Hi Vivian

    Is it possible to get an answer of above questions as to get a superficial one?

    It is not very helpful.

    Thanks in advance for your understanding.

    Cheers

    Michael


    Kind regards Michael Damaschke

    Monday, February 12, 2018 7:29 AM
  • Hi,

    Sorry for the delay reply.

    These are not enabled by default and should be enabled via registry.

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Patently unhelpful response
    Friday, February 16, 2018 7:39 PM
  • TLS1.3 was just finalized/approved on March 21<sup>st</sup> 2018 - https://kinsta.com/blog/tls-1-3/

    https://www.techrepublic.com/article/tls-1-3-is-approved-heres-how-it-could-make-the-entire-internet-safer/

    I'm in a situation where we have are forced to implement TLS1.3 on our Windows 2008R2 servers to mitigate vulnerabilities associated with AEAD ciphers suites. Unfortunately I'm not finding any KB articles or technical notes that address implementing TLS 1.3 on windows.

    Wednesday, April 11, 2018 5:21 PM
  • Hi,

    Sorry for the delay reply.

    These are not enabled by default and should be enabled via registry.

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    unhelpful.
    Thursday, May 10, 2018 9:18 AM
  • Can you give us the registry entries to enable them???

    Wednesday, May 16, 2018 7:13 PM
  • TLS1.3 was just finalized/approved on March 21<sup>st</sup> 2018 - https://kinsta.com/blog/tls-1-3/

    https://www.techrepublic.com/article/tls-1-3-is-approved-heres-how-it-could-make-the-entire-internet-safer/

    I'm in a situation where we have are forced to implement TLS1.3 on our Windows 2008R2 servers to mitigate vulnerabilities associated with AEAD ciphers suites. Unfortunately I'm not finding any KB articles or technical notes that address implementing TLS 1.3 on windows.

    TLS 1.3, being a recent specification is not currently supported by the native SCHANNEL implementation of ANY version of windows (even 2016).  I doubt it will ever be back-ported to any version of Windows prior to 2016 / 10. Maybe not even 2016.

    If you are still running 2008 servers you have bigger problems than lack of AEAD cipher support.  You can use use GCM ciphers on Server 2016 with TLS 1.2 and these are classed as supporting AEAD and so will mitigate this specific risk.

    I recommend IIS Crypto from Nartac.  It will allow you to configure TLS and cipher support in ways permitted by the underlying OS without having to manually edit the registry in multiple places.

    Available from https://www.nartac.com/Products/IISCrypto


    Thursday, May 17, 2018 9:49 AM