Configuration Information for TLS 1.2.

November 20, 2020 | KB: 1013919
Laserfiche 10

Summary

This article provides configuration guidelines on TLS 1.2.

Notes:

  • The following manual configuration procedures are not specific to Laserfiche software and will update the TLS protocol preferences for all .Net 4 applications installed.
  • TLS 1.2 is on by default in Windows 8/Windows Server 2012 and higher.

More Information

Modify the Windows registry to:

  1. Turn on support for TLS 1.2.
  2. Enable TLS 1.2 by default for WinHTTP.
  3. Block the use of the RC4 encryption cypher in .NET TLS.
Registry Keys DWORD Values
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
DisabledByDefault=0
Enabled=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
DefaultSecureProtocols=0x00000800
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
SchUseStrongCrypto=1

Turn on TLS 1.2

Use the Server and Client subkeys in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2 to turn on TLS 1.2

  1. From the Windows search bar, use regedit to open the Window Registry Editor.
  2. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client.
  3. Create a new DWORD value named:

    DisabledByDefault

    Set the value to:

    0

  4. Create a new DWORD value named:

    Enabled

    Set the value to

    1

  5. Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server.
  6. Create a new DWORD value named:

    DisabledByDefault

    Set the value to:

    0

  7. Create a new DWORD value named:

    Enabled

    Set the value to

    1

Enable TLS 1.2 by default for WinHTTP

Add the DefaultSecureProtocols DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp registry keys.

  1. From the Windows search bar, use regedit to open the Window Registry Editor.
  2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp.
  3. Create a new DWORD value named:

    DefaultSecureProtocols

    Set the value in hexadecimal to:

    800

  4. On a 64-bit version of Windows, browse to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp and repeat step 3.

Block RC4 in .NET TLS

Add a SchUseStrongCrypto DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 registry keys.

  1. From the Windows search bar, use regedit to open the Window Registry Editor.
  2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
  3. Create a new DWORD value named:

    SchUseStrongCrypto

  4. Set the value to:

    1

  5. On a 64-bit version of Windows, browse to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 and repeat step 3.

Note: Restart the computer after modifying the registry.

Web Browser Information

The latest versions of Chrome and Firefox support TLS 1.2.

All versions of Microsoft Edge support TLS 1.2.

Internet Explorer 11 with the latest security patches from Windows Updates support TLS 1.2. In addition, open the Internet Options menu item and select Advanced. In the Security section, select the Use TLS 1.2 checkbox.

Related Links

See the following Microsoft documentation for additional information on the above registry keys.

Transport Layer Security (TLS) registry settings

Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows

Microsoft Security Advisory 2960358

Make sure that the latest Windows Updates are installed. If you are on Windows Vista or Server 2008, make sure that Microsoft KB4019276 is installed.

On versions of Windows before Windows 10 or Windows Server 2016, make sure that Microsoft KB3161949 is installed.