How to Activate TLS 1.2 on Windows Server 2008 R2 and IIS 7.5

How to Activate TLS 1.2 on Windows Server 2008 R2 and IIS 7.5

There is always that one machine that you cannot upgrade on a current version because some dependencies outside of your control demand that specific configuration. You may postpone the inevitable, but one day you run out of luck. If your box is a web server, that day will come sooner than you think.

Out of the box, IIS on Windows Server 2008 R2 offers Transport Layer Security only in version 1 (TLS 1.0). That version is outdated and should not be used for securing any HTTPS traffic. Unfortunately, you do not see the version your browser uses to connect to a web server and so it may be that this protocol is still active. If this is the case, your users will not be able to visit your web site when all major browsers block that version at the beginning of 2020.

 

Is your web server affected?

You can check if your web site has this problem with the SSL Server Test or you open the developer tools of Chrome and check the console output:

The connection used to load resources from https://**** used TLS 1.0 or TLS 1.1, which are deprecated and will be disabled in the future. Once disabled, users will be prevented from loading these resources. The server should enable TLS 1.2 or later. See https://www.chromestatus.com/feature/5654791610957824 for more information.

 

Install the patch for TLS 1.2

When your server is up-to-date with all security patches offered by Microsoft, then you probably already have TLS 1.2 installed. In this case, you can jump to the next section and activate it.

Should you not have all patches installed, you can manually download KB4019276 from the Microsoft Update Catalog.

对windows server 2008 R2,需要这里的补丁https://www.catalog.update.microsoft.com/Search.aspx?q=kb3140245

按照工具IISCrypto.exe的提示,需要的补丁是https://www.catalog.update.microsoft.com/Search.aspx?q=kb3080079

 

Activate TLS 1.2

You need to modify the registry to activate TLS 1.2. Therefore, you should first make a backup. Only when you have a backup should you open regedit and go to the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

There you need to create a few entries. You can do that manually and follow the steps in this little How-To by QuoVadis. Be careful, it will only work if you type all those words correct and make no spelling errors.

A much simpler approach is to copy those lines into a file, name it tls12.reg and run it as an administrator:

 

 

This will create the keys and values as you need them to activate TLS 1.2.

As a final step, you need to reboot your machine. If you now visit your site, Chrome should no longer complain about TLS 1.0 or 1.1. A final check in SSL Server Test should show you that TLS 1.2 is active.

 

Clean up

As soon as you no longer need TLS 1.0 and the other outdated protocols, you should disable them. You can use the same keys as you used to activate TLS 1.2, but you need to invert the values. DisabledByDefault must now be 1 while Enabled must be a 0.

 

 

 

Conclusion

The blocking of TLS 1.0 and 1.1 will give a nasty little surprise in January 2020. If you still run a Windows Server 2008 R2 machine, you should take a few minutes now and activate TLS 1.2. This will make your start into 2020 much less painful. 

作者:Chuck Lu    GitHub
posted @   ChuckLu  阅读(154)  评论(0编辑  收藏  举报
编辑推荐:
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· 没有源码,如何修改代码逻辑?
阅读排行:
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
历史上的今天:
2020-09-07 tshark
2020-09-07 wireshark过滤
2018-09-07 string operation in powershell
2018-09-07 wirte function in powershell
2018-09-07 add environment path to powershell
2017-09-07 Can not Stop-Computer in powershell 6.0
2017-09-07 powershell无法拖动文件到命令行
点击右上角即可分享
微信分享提示