none
TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2

    Question

  • We are having a server with OS, Windows Server 2008 SP2, and since it does not support TLS 1.1 and TLS 1.2, we have just applied the patch, KB4019276, which is released in July, 2017. 

    The server is restarted, and we have also enabled the TLS 1.1 and TLS 1.2 in registry and restarted the server. But when we use IISCrypto.exe to check the setting, it still does not show TLS 1.1 as well as TLS 1.2. 

    When we go to IE Internet Options | Advanced, we also still cannot see "Use TLS 1.1" and "Use TLS 1.2". Please advice
    Friday, August 4, 2017 10:51 AM

All replies

  • Hi,

    working on my side(only tried server side), make sure you created the registry keys in the right structure:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server]
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server]
    "DisabledByDefault"=dword:00000000

    Also, you will need to reboot your system after the registry changes.



    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    • Edited by RabanserD Friday, August 4, 2017 7:54 PM spacing
    Friday, August 4, 2017 2:44 PM
  • Daniel, 

    Thanks for the reply. And yes, we are very sure that we have created the registry entries as what you mentioned. Unfortunately, it still does not work. Besides Server key, we also created Client key. In fact, we did what is specified in this article, 

    https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows-server-2008-s

    Any idea?

    Friday, August 4, 2017 7:56 PM
  • Will check the client side & IE settings on monday, Is the serverside working? You can check that with https://www.ssllabs.com (if you have an IIS site set up)

    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, August 5, 2017 6:16 PM
  • Hi Daniel, we used https://www.nartac.com/Products/IISCrypto to check and there is no option for TLS 1.1 and TLS 1.2 when we run the IISCrypto. And, we can only see TLS 1.0, SSL 2.0 and SSL 3.0. 
    Monday, August 7, 2017 12:40 AM
  • Hi,

    I've now tested this on two 2008 SP2 Servers, the server side always works fine.

    The clientside however (at least in IE 9) as you mentioned is missing the TLS 1.1 and 1.2 option. - I think this is an IE 9 problem for Server 2008. - IE might need to be updated to support TLS 1.1 and 1.2 on 2008.

    Regarding IISCrypto, they probably hardcoded into the program that 2008 is not supported, so they dropped the TLS 1.1 & 1.2 options.

    Evidence in the older version:


    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, August 7, 2017 1:06 PM
  • I see. Right now, our scenario is we are using HttpClient in C# to connect to the server application (belongs to third party provider) and they are only supporting TLS 1.2. When we place the application in local machine, which is Windows 10, it just works perfectly, but when we put in the Windows Server 2008 SP2 (with the TLS 1.2 patch as aforementioned), it does not work, with error "System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.". 
    Tuesday, August 8, 2017 1:14 AM
  • HI Daniel, any insight on the issue on TLS client?
    Sunday, August 13, 2017 3:59 AM
  • This might help for IE 9 issue.

    https://community.qualys.com/thread/17465-tls-12-for-2008-non-r2


    Monday, August 14, 2017 4:20 PM
  • Hi Chris, i tried and it does not work. 
    Tuesday, August 15, 2017 2:26 AM
  • Hi everybody,

    I tried the suggested article from Chris and it seems to work in IE:

    Before:

    After:

    The GPO setting:

    Run gpupdate /force after.

    So I think KB4019276 is definitely working (Client and Server), Schannel support for TLS 1.1 & 1.2 is present. 

    Pang Tat Sean you could try to get it working in IE, and then try the C# app?

    Verify:https://www.ssllabs.com/ssltest/viewMyClient.html


    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 16, 2017 2:55 PM
  • I used Fiddler to try, and it still returns exception, i masked the URL. 

    HTTP/1.1 502 Fiddler - Connection Failed
    Date: Thu, 17 Aug 2017 00:47:35 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    Cache-Control: no-cache, must-revalidate
    Timestamp: 08:47:35.214

    [Fiddler] The connection to 'callbacks.xxxxxx.com' failed.  <br />System.Security.SecurityException Failed to negotiate HTTPS connection with server.fiddler.network.https&gt; HTTPS handshake to callbacks.gopangea.com (for #33) failed. System.Security.Authentication.AuthenticationException A call to SSPI failed, see inner exception. &lt; The message received was unexpected or badly formatted

    Win32 (SChannel) Native Error Code: 0x80090326            


    Thursday, August 17, 2017 12:49 AM
  • Daniel, you are right, my IE shows the same screen as what you shared. So, that means IE should work with TLS 1.2. But when i tried with Fiddler, it shows exception. 

    To make it more straightforward, when you try https://callbacks.gopangea.com/ with Chrome and FireFox in Windows Server 2008 SP2, you will get something shown on the browser, but if you try with IE, i think you get some errors. 

    Thursday, August 17, 2017 12:54 AM
  • Hi,

    As far as I can tell now, TLS 1.2 isn't the problem, I think it comes down to missing support for newer ciphers on 2008. -> TLS Cipher Suites in Windows Vista.

    My IE ciphers:

    Your Webserver supported ciphers:

    As far as I can see there are no ciphers which are supported on both sides, so they can't communicate?

    To summarize:

    • TLS 1.1 & 1.2 is working on 2008 SP2 (but only with "older" ciphers which works out on some/most normal sites on the Web which still support those)
    • Your server only accepts newer ciphers (which enhances security but cuts support for older systems)
    • The Site is working in Chrome/Firefox because they don't use Schannel (the have their own crypto provider)

    I've no Idea if Microsoft plans to support never chipers on 2008 SP2 in the future. Anyone?


    Regards

    Daniel

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 17, 2017 9:21 AM
  • Thanks Daniel, it makes sense for me now!
    Thursday, August 17, 2017 9:33 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, August 28, 2017 2:47 PM
    Moderator
  • Hi Cartman, 

    The issue is still unresolved. We are still not able to connect to the client's URL, possibly due to the difference in available support for the Cipher Suite in Windows Server 2008 SP2, which is mentioned by Daniel. 

    So, we would like to know whether Microsoft is ready to provide any updates on the Cipher Suite to support TLS 1.2 for Windows Server 2008 SP2?

    Wednesday, August 30, 2017 2:01 AM
  • Hi Cartman, 

    Anything you can help to get an update from Microsoft of whether there is a plan to release the cipher suites for TLS 1.2 for Windows Server 2008 SP2?

    Regards,

        Tat Sean

    Tuesday, September 5, 2017 1:19 AM
  • Hi Pang,

    Can you please advise if you have received any update on the above request.

    I am also looking for a resolution on this, kindly advise if you manage to found any possible solution or workaround on it.

    ~Ishaan

    Friday, November 17, 2017 7:39 PM
  • Hi Ishaan, 

    Sorry for the late reply. Unfortunately, i am yet to receive any update on that, so, it is still NOT working from my side. Our "solution" is we create another new VM with latest OS and host only the application that requires the TLS 1.2 interaction, in order to resolve that. :-(

    Thursday, December 28, 2017 12:56 AM
  • Hi guys,

    Do you have any update info on this?

    Regards,
    Bartek
    Monday, March 26, 2018 4:48 PM
  • Hello,

    I am having the same issue, as you are.  Were you able to get this resolved? 

    Thursday, August 23, 2018 9:38 PM