Sunday, November 1, 2015

windows - Can't disable TLS 1.0




I'm working on Windows Server 2016 Standard and trying to disable TLS 1.0 and enable 1.1 and 1.2 with the IIS Crypto. However, whenever I disable 1.0 and keep 1.1 and 1.2 enabled, my IIS apps stop serving. I've rebooted the server after the changes.



I saw this post but it's not quite what I'm trying to do. There's also this fix but it doesn't apply to Server 2016.



My Global.asax.cs contains the following in the Application_Start():



ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
ServicePointManager.SecurityProtocol &=
~(SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11);



What am I missing?


Answer



Found the answer by using the OpenSSL tool. You run the tool with the following command to test if the server supports various versions of TLS (with help from here):




openssl s_client -connect example.com:443 -tls1_1





CONNECTED(00000150)
40400:error:1417118C:SSL routines:tls_process_server_hello:version too low:ssl\statem\statem_clnt.c:917:
---
no peer certificate available
---
No client certificate CA names sent
---


The server didn't have a good cert so it could only support TLS 1.0.



No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...