locked
SHA256 support and TLS 1.2 compatibility in Windows 2012R2 RDS RRS feed

  • Question

  • Hi fellow Remote Desktop Services admins,

    I'm becoming increasingly confused on how well, and exactly under what requirements Windows Server 2012 R2 running the RDS role, supports the use of TLS 1.2 with clients ranging from Win. XP SP3 to Win. 8.1.

    So what I understand is:

    That TLS 1.2 is supported and enabled by default on Windows Server 2012R2. So I could buy a certificate that uses the SHA256 hash algorithm.

    - But am I right that clients ranging from Windows XP SP3 up to Windows 8.1 supports this scenario?

    - Would it be necessary to manually enable TLS 1.2 on these clients, in order for them to be able to negotiate the use of TLS 1.2?

    - If TLS 1.2 isn't manually enabled on, let's say a Windows 7 client, would the RDS server and the client be able to negotiate the use of TLS 1.0 instead - now that the certificate is SHA256? Because as I understand it, SHA256 is not supported by TLS 1.0. Therefore the same certificate would have to support SHA1, as the communication with a TLS 1.0 client would require SHA1. Correct?

    What I have done

    Crawled through forums, Wikipedia, blogs and search-machine results. In order to understand possible scenarios and what RDS in Win. 2012R2 supports. But I find it quite hard to get a solid understanding on how things exactly are.

    For example: https://technet.microsoft.com/en-us/library/dd320345(v=ws.10).aspx - applies to Win. 2012. But does it also apply to 2012R2? Out of TLS 1.0 and TLS 1.2 - TLS 1.0 is the only one mentioned.

    At the same time though, this blog: http://blogs.msdn.com/b/openspecification/archive/2012/07/24/hitchhiker-s-guide-to-debugging-rdp-protocols-part-2.aspx - seems to indicate that RDP on at least Win. 2012 server, pointing to the posts date, supports TLS 1.2.

    However it is really hard to find a clear-cut specification from Microsoft on this. I would really appreciate someone that could clarify this for me. Especially because SHA1 certificates is being phased out (start 2017 if I'm not mistaken) and I would therefore strongly prefer to invest in a SHA256 type certificate.

    Looking forward to hear from you.

    Thank you very much.


    Red Baron

    Friday, May 29, 2015 4:10 PM

Answers

  • Hi,

    However I still need to need to know if it will plausible to buy a sha256 certificate and use it both for TSL1.0 communication via RDP and then use the same certificate for a website where TSL1.1 or TLS1.2 communication would be required.

    Yes, you can buy a SHA256 certificate for TLS 1.0, TLS 1.1 and TLS 1.2 communication. However, using SHA256 certificate as SSL certificate, clients must support SHA256 hash algorithm to be able to validate the SSL certificate.

    You will need to install this hotfix below on your Windows XP and Windows Server 2003 clients for them to support SHA2 hash algorithms (SHA256, SHA384, and SHA512) in the X.509 certificate validation.

    Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption

    https://support.microsoft.com/en-us/kb/968730?wa=wsignin1.0

    In addition, ensure that the server supports TLS 1.0 since Windows XP & Windows Server 2003, Windows Vista & Windows Server 2008 don’t support SSL/TLS versions higher than TLS 1.0.

    Secure channel compatibility support with SSL and TLS

    http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/07/secure-channel-compatibility-support-with-ssl-and-tls.aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Monday, June 15, 2015 2:49 AM
    • Marked as answer by The Red Baron Monday, June 15, 2015 9:58 AM
    Monday, June 15, 2015 2:49 AM

All replies

  • Hi there....anybody with a suggestion :-D

    Red Baron

    Monday, June 1, 2015 7:28 AM
  • Hi,

    Here is the most recent and useful blog I can find:

    Support for SSL/TLS protocols on Windows

    http://blogs.msdn.com/b/kaushal/archive/2011/10/02/10218922.aspx

    According to the blog, Windows 7 and Windows server 2008 R2 (and above of course) are the only 2 operating systems out there which include support for TLS 1.1 and TLS 1.2. These are not enabled by default and should be enabled via registry.

    In addition, according to the answerer of the thread below:

    RDP protocol TLS1.1 Support

    https://social.technet.microsoft.com/Forums/en-US/9a6ac988-061a-4594-849c-dc8f037a70ad/rdp-protocol-tls11-support?forum=winserverTS

    “RDC client will not send anything higher than TLS1.0 and the server will not accept TLS.1.1 or TLS1.2 (if you send it client hellos with TLS1.2 in the header it just responds with TLS1.0). If you disable TLS1.0 and below you cannot connect.”

    Here are some more related threads below for you:

    Remote Desktop stopped working after disabling SSL 2.0 and TLS 1.0

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/e2b22dad-bb0c-4059-beec-6673783ab777/remote-desktop-stopped-working-after-disabling-ssl-20-and-tls-10?forum=smallbusinessserver

    RDP protocol TLS1.2 Support

    https://social.technet.microsoft.com/forums/windowsserver/en-US/e308a2ac-2443-4a24-abc7-fab6079fac86/rdp-protocol-tls12-support

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Tuesday, June 2, 2015 7:34 AM
    • Proposed as answer by Amy Wang_ Monday, June 15, 2015 2:49 AM
    Tuesday, June 2, 2015 7:33 AM
  • Hi Amy,

    Thank you for a good answer. However I still need to need to know if it will plausible to buy a sha256 certificate and use it both for TSL1.0 communication via RDP and then use the same certificate for a website where TSL1.1 or TLS1.2 communication would be required.

    Thank you.


    Red Baron

    Wednesday, June 3, 2015 8:17 AM
  • Hi Amy,

    Thank you for a good answer. However I still need to need to know if it will plausible to buy a sha256 certificate and use it both for TSL1.0 communication via RDP and then use the same certificate for a website where TSL1.1 or TLS1.2 communication would be required.

    Thank you.


    Red Baron


    Any thoughts on my latest reply. Amy or someone else?

    Red Baron

    Friday, June 5, 2015 1:15 PM
  • Anyone with a tip/answer on the last questions?


    Thank you so much.


    Red Baron

    Tuesday, June 9, 2015 12:55 PM
  • Hi,

    However I still need to need to know if it will plausible to buy a sha256 certificate and use it both for TSL1.0 communication via RDP and then use the same certificate for a website where TSL1.1 or TLS1.2 communication would be required.

    Yes, you can buy a SHA256 certificate for TLS 1.0, TLS 1.1 and TLS 1.2 communication. However, using SHA256 certificate as SSL certificate, clients must support SHA256 hash algorithm to be able to validate the SSL certificate.

    You will need to install this hotfix below on your Windows XP and Windows Server 2003 clients for them to support SHA2 hash algorithms (SHA256, SHA384, and SHA512) in the X.509 certificate validation.

    Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption

    https://support.microsoft.com/en-us/kb/968730?wa=wsignin1.0

    In addition, ensure that the server supports TLS 1.0 since Windows XP & Windows Server 2003, Windows Vista & Windows Server 2008 don’t support SSL/TLS versions higher than TLS 1.0.

    Secure channel compatibility support with SSL and TLS

    http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/07/secure-channel-compatibility-support-with-ssl-and-tls.aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Monday, June 15, 2015 2:49 AM
    • Marked as answer by The Red Baron Monday, June 15, 2015 9:58 AM
    Monday, June 15, 2015 2:49 AM
  • Hi Amy Wang,

    Supporting XP and 2003 clients should not be a problem. As RDP only will go with TLS1.0. Regarding the website the new browsers today support TLS1.1 and up - to my understanding - so that should be good as well.

    I'll go ahead and mark your reply as an answer.

    Have a great day and thank you so much for your assistance.


    Red Baron

    Monday, June 15, 2015 9:58 AM