Introduction
TLS 1.2 introduced significant security enhancements over its predecessors. It improved upon the handshake process, offered better algorithm negotiation between clients and servers, and incorporated stronger cryptographic cipher suites such as AES-GCM and SHA-256. These advancements provide a more secure communication channel, protecting against various attack vectors that could compromise data confidentiality and integrity. Furthermore, adhering to TLS 1.2 is often a requirement for compliance with various industry regulations and security standards, such as the Payment Card Industry Data Security Standard (PCI DSS). Modern web browsers and online services are increasingly phasing out support for older TLS versions, making TLS 1.2 a necessary standard for continued connectivity.
CyberQP supports it's agent on older Windows OS Versions (Server 2008 R2, Server 2012, Server 2012 R2) which may not have been updated to support TLS 1.2. The agent will be updated to only support TLS 1.2 or higher moving forward.
This article is designed to assist you in determining if your Customer's older Server OS is configured to communicate with TLS 1.2. You may have other applications or services that have required TLS 1.2, and this might already be enabled for your customer's server.
Server 2008 R2 and Server 2012
Server 2012 R2
Additional Considerations
Checking and enabling the TLS 1.2 Configuration
Server 2008 R2 (SP1 is required) and Server 2012
On Windows Server 2008 R2, TLS 1.2 is not enabled by default. Therefore, the verification process involves checking if the TLS 1.2 key and its Client and Server subkeys exist under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
If these keys are present, then within the Client and Server subkeys, the Enabled DWORD value should be set to 1 and the DisabledByDefault DWORD value should be set to 0. If the TLS 1.2 key or its subkeys do not exist, TLS 1.2 is likely not enabled.
Enabling TLS 1.2 on Windows Server 2008 R2 or Server 2012 requires Service Pack installation and manual creation of the necessary registry keys (or use of the Easy Fix provided by Microsoft.)
Download and install the Service Pack for the proper OS from this page
https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392
https://catalog.update.microsoft.com/search.aspx?q=kb3140245
To Manually update the registry follow these steps
- Open Regedit
- Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
- Create a new key named TLS 1.2
- Under this TLS 1.2 key, create two subkeys:
- Client
- Server
- Within both the Client and Server subkeys, create two DWORD values:
- Enabled
- Value: 1 (Hexadecimal)
- DisabledByDefault
- Value 0 (Hexadecimal)
- Enabled
Plan to restart the computer after you apply this update.
Server 2012 R2
On Windows Server 2012 R2, TLS 1.2 is often enabled by default on a fresh installation, however if the Server was upgraded from an older OS, it is advisable to check.
The verification process involves checking if the TLS 1.2 key and its Client and Server subkeys exist under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
If these keys are present, then within the Client and Server subkeys, the Enabled DWORD value should be set to 1 and the DisabledByDefault DWORD value should be set to 0. If the TLS 1.2 key or its subkeys do not exist, TLS 1.2 is likely not enabled.
Alternatively you can use a registry check via CMD Prompt (as admin)
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault
The output should show Enabled with a value of 0x1 and DisabledByDefault with a value of 0x0 for both Client and Server.
If those values do not exist, or if they are set to different values, you can use the following commands or manually update/add the registry values.
- Command Line (CMD as Administrator)
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2 reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client /v Enabled /t reg_dword /d 1 reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client /v DisabledByDefault /t reg_dword /d 0 reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server /v Enabled /t reg_dword /d 1 reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server /v DisabledByDefault /t reg_dword /d 0
- Manually update the registry follow these steps
- Open Regedit
- Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
- Create a new key named TLS 1.2
- Under this TLS 1.2 key, create two subkeys:
- Client
- Server
- Within both the Client and Server subkeys, create two DWORD values:
- Enabled
- Value: 1 (Hexadecimal)
- DisabledByDefault
- Value 0 (Hexadecimal)
- Value 0 (Hexadecimal)
- Enabled
- GUI Tool
https://www.nartac.com/Products/IISCrypto
Download the GUI version, and run it as Admin on the System.
-
Enable the "Best Practices" for TLS
-
Click on SChannel (you only need to enable this if TLS 1.2 or higher is not enabled)
- Take a Screenshot of this screen
- The ones that show a white box with check mark are enabled manually.
- The ones that show white box no check are disabled manually.
- The ones that are greyed out mean they are set to Windows "defaults"
- At the bottom of the screen is a "Best Practices" button.
- Click the button.
- Apply
-
-
Additional Considerations
Testing
To test that the TLS is enabled properly, you can use these commands to test.
-
Run this script in elevated PowerShell to see what TLS version is enforced on that machine:
(Invoke-WebRequest -Uri "https://www.howsmyssl.com/a/check" -UseBasicParsing).Content | ConvertFrom-Json | Select-Object tls_version
This should return the TLS enabled value for the server. The highest version that the system supports will be shown as the returned value.
-
Run this in PowerShell as Admin
Invoke-WebRequest -Uri https://api.getquickpass.com
If TLS and the Cipher (Cypher) are configured correctly you will get an returned message like:Cannot GET
An error message will be returned if the supported Ciphers (Cyphers) are not enabledThe request was aborted: Could not create SSL/TLS secure channel
If you get the ERROR message then please review the following KB:
https://support.getquickpass.com/hc/en-us/articles/32372406650263-Cipher-Support-Agent-Communication
Plan to restart the computer after you apply this update.
Comments
0 comments
Please sign in to leave a comment.