none
TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2 RRS feed

  • Question

  • We are having a server with OS, Windows Server 2008 SP2, and since it does not support TLS 1.1 and TLS 1.2, we have just applied the patch, KB4019276, which is released in July, 2017. 

    The server is restarted, and we have also enabled the TLS 1.1 and TLS 1.2 in registry and restarted the server. But when we use IISCrypto.exe to check the setting, it still does not show TLS 1.1 as well as TLS 1.2. 

    When we go to IE Internet Options | Advanced, we also still cannot see "Use TLS 1.1" and "Use TLS 1.2". Please advice
    Friday, August 4, 2017 10:51 AM

All replies

  • Hi,

    working on my side(only tried server side), make sure you created the registry keys in the right structure:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server]
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server]
    "DisabledByDefault"=dword:00000000

    Also, you will need to reboot your system after the registry changes.



    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    • Edited by RabanserD Friday, August 4, 2017 7:54 PM spacing
    Friday, August 4, 2017 2:44 PM
  • Daniel, 

    Thanks for the reply. And yes, we are very sure that we have created the registry entries as what you mentioned. Unfortunately, it still does not work. Besides Server key, we also created Client key. In fact, we did what is specified in this article, 

    https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows-server-2008-s

    Any idea?

    Friday, August 4, 2017 7:56 PM
  • Will check the client side & IE settings on monday, Is the serverside working? You can check that with https://www.ssllabs.com (if you have an IIS site set up)

    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, August 5, 2017 6:16 PM
  • Hi Daniel, we used https://www.nartac.com/Products/IISCrypto to check and there is no option for TLS 1.1 and TLS 1.2 when we run the IISCrypto. And, we can only see TLS 1.0, SSL 2.0 and SSL 3.0. 
    Monday, August 7, 2017 12:40 AM
  • Hi,

    I've now tested this on two 2008 SP2 Servers, the server side always works fine.

    The clientside however (at least in IE 9) as you mentioned is missing the TLS 1.1 and 1.2 option. - I think this is an IE 9 problem for Server 2008. - IE might need to be updated to support TLS 1.1 and 1.2 on 2008.

    Regarding IISCrypto, they probably hardcoded into the program that 2008 is not supported, so they dropped the TLS 1.1 & 1.2 options.

    Evidence in the older version:


    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, August 7, 2017 1:06 PM
  • I see. Right now, our scenario is we are using HttpClient in C# to connect to the server application (belongs to third party provider) and they are only supporting TLS 1.2. When we place the application in local machine, which is Windows 10, it just works perfectly, but when we put in the Windows Server 2008 SP2 (with the TLS 1.2 patch as aforementioned), it does not work, with error "System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.". 
    Tuesday, August 8, 2017 1:14 AM
  • HI Daniel, any insight on the issue on TLS client?
    Sunday, August 13, 2017 3:59 AM
  • This might help for IE 9 issue.

    https://community.qualys.com/thread/17465-tls-12-for-2008-non-r2


    Monday, August 14, 2017 4:20 PM
  • Hi Chris, i tried and it does not work. 
    Tuesday, August 15, 2017 2:26 AM
  • Hi everybody,

    I tried the suggested article from Chris and it seems to work in IE:

    Before:

    After:

    The GPO setting:

    Run gpupdate /force after.

    So I think KB4019276 is definitely working (Client and Server), Schannel support for TLS 1.1 & 1.2 is present. 

    Pang Tat Sean you could try to get it working in IE, and then try the C# app?

    Verify:https://www.ssllabs.com/ssltest/viewMyClient.html


    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 16, 2017 2:55 PM
  • I used Fiddler to try, and it still returns exception, i masked the URL. 

    HTTP/1.1 502 Fiddler - Connection Failed
    Date: Thu, 17 Aug 2017 00:47:35 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    Cache-Control: no-cache, must-revalidate
    Timestamp: 08:47:35.214

    [Fiddler] The connection to 'callbacks.xxxxxx.com' failed.  <br />System.Security.SecurityException Failed to negotiate HTTPS connection with server.fiddler.network.https&gt; HTTPS handshake to callbacks.gopangea.com (for #33) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. &lt; The message received was unexpected or badly formatted

    Win32 (SChannel) Native Error Code: 0x80090326            


    Thursday, August 17, 2017 12:49 AM
  • Daniel, you are right, my IE shows the same screen as what you shared. So, that means IE should work with TLS 1.2. But when i tried with Fiddler, it shows exception. 

    To make it more straightforward, when you try https://callbacks.gopangea.com/ with Chrome and FireFox in Windows Server 2008 SP2, you will get something shown on the browser, but if you try with IE, i think you get some errors. 

    Thursday, August 17, 2017 12:54 AM
  • Hi,

    As far as I can tell now, TLS 1.2 isn't the problem, I think it comes down to missing support for newer ciphers on 2008. -> TLS Cipher Suites in Windows Vista.

    My IE ciphers:

    Your Webserver supported ciphers:

    As far as I can see there are no ciphers which are supported on both sides, so they can't communicate?

    To summarize:

    • TLS 1.1 & 1.2 is working on 2008 SP2 (but only with "older" ciphers which works out on some/most normal sites on the Web which still support those)
    • Your server only accepts newer ciphers (which enhances security but cuts support for older systems)
    • The Site is working in Chrome/Firefox because they don't use Schannel (the have their own crypto provider)

    I've no Idea if Microsoft plans to support never chipers on 2008 SP2 in the future. Anyone?


    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 17, 2017 9:21 AM
  • Thanks Daniel, it makes sense for me now!
    Thursday, August 17, 2017 9:33 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, August 28, 2017 2:47 PM
    Moderator
  • Hi Cartman, 

    The issue is still unresolved. We are still not able to connect to the client's URL, possibly due to the difference in available support for the Cipher Suite in Windows Server 2008 SP2, which is mentioned by Daniel. 

    So, we would like to know whether Microsoft is ready to provide any updates on the Cipher Suite to support TLS 1.2 for Windows Server 2008 SP2?

    Wednesday, August 30, 2017 2:01 AM
  • Hi Cartman, 

    Anything you can help to get an update from Microsoft of whether there is a plan to release the cipher suites for TLS 1.2 for Windows Server 2008 SP2?

    Regards,

        Tat Sean

    Tuesday, September 5, 2017 1:19 AM
  • Hi Pang,

    Can you please advise if you have received any update on the above request.

    I am also looking for a resolution on this, kindly advise if you manage to found any possible solution or workaround on it.

    ~Ishaan

    Friday, November 17, 2017 7:39 PM
  • Hi Ishaan, 

    Sorry for the late reply. Unfortunately, i am yet to receive any update on that, so, it is still NOT working from my side. Our "solution" is we create another new VM with latest OS and host only the application that requires the TLS 1.2 interaction, in order to resolve that. :-(

    Thursday, December 28, 2017 12:56 AM
  • Hi guys,

    Do you have any update info on this?

    Regards,
    Bartek
    Monday, March 26, 2018 4:48 PM
  • Hello,

    I am having the same issue, as you are.  Were you able to get this resolved? 

    Thursday, August 23, 2018 9:38 PM
  • I would had thought this would had been addressed since the original thread began in 2017 and this last comment, prior to my reply, of March 26, 2018.

    Not unless I'm missing something here, but from what I can tell according to MS TechNet site, dated ‎05‎/‎30‎/‎2018, (https://docs.microsoft.com/en-us/windows/desktop/secauthn/cipher-suites-in-schannel) for Windows Server 2008 and Windows Vista https://docs.microsoft.com/en-us/windows/desktop/secauthn/schannel-cipher-suites-in-windows-vista there are no TLS 1.1 or TLS 1.2 cipher suites available for Windows Server 2008, period!!!

    Furthermore, it's not like TLS 1.0 had just became an issue in 2017; when in-fact if I'm not mistake, the PCI Council released/published version 3.1 of their Data Security Standard indicating that SSL and TLS 1.0 should no longer be used after June 30, 2016 due to its vulnerability (SSL and TLS 1.0 being compromised).

    Therefore, and for what reason had not anyone from MS ever provide an actual security patch for introducing/implementing TLS 1.1 or TLS 1.2 cipher suites that are compatible for this platform when the extended end of life is 1/14/2020?  That's 3 years after this tread started and nearly 4 years after PCI Council released/published their Data Security Standard version 3.1.



    Tuesday, June 25, 2019 4:40 PM
  • I think, the MS site just hasn't been updated accordingly, since I have seen 2008 Servers in the wild with TLS 1.1/1.2.

    Theoretically those cipher suites should be available for Windows Server 2008 (TLS 1.0/1.1/1.2):

    • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
      TLS_DHE_DSS_WITH_AES_128_CBC_SHA
      TLS_DHE_DSS_WITH_AES_256_CBC_SHA
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
      TLS_RSA_WITH_3DES_EDE_CBC_SHA
      TLS_RSA_WITH_AES_128_CBC_SHA
      TLS_RSA_WITH_AES_256_CBC_SHA
      TLS_RSA_WITH_RC4_128_MD5
      TLS_RSA_WITH_RC4_128_SHA

    I can't confirm it though because we retired the last server last year, but we had several running.

    Non the less, even if you can enable said cipher suites (the ones listed above aren't that secure anyway - they do not support SHA2, Forward secrecy ecc.)


    Regards

    Daniel

    MCSE - MCSA - MCP - MS - Security+ - Network+

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, June 25, 2019 6:28 PM