Summary
This article provides configuration guidelines on TLS 1.2.
Notes:
More Information
Modify the Windows registry to:
Registry Keys | DWORD Values |
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server |
DisabledByDefault=0 Enabled=1 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp |
DefaultSecureProtocols=0x00000800 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 |
SchUseStrongCrypto=1 |
Turn on TLS 1.2
Use the Server and Client subkeys in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2 to turn on TLS 1.2
DisabledByDefault
Set the value to:0
Enabled
Set the value to1
DisabledByDefault
Set the value to:0
Enabled
Set the value to1
Enable TLS 1.2 by default for WinHTTP
Add the DefaultSecureProtocols DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp registry keys.
DefaultSecureProtocols
Set the value in hexadecimal to:800
Block RC4 in .NET TLS
Add a SchUseStrongCrypto DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 registry keys.
SchUseStrongCrypto
1
Note: Restart the computer after modifying the registry.
Web Browser Information
The latest versions of Chrome and Firefox support TLS 1.2.
All versions of Microsoft Edge support TLS 1.2.
Internet Explorer 11 with the latest security patches from Windows Updates support TLS 1.2. In addition, open the Internet Options menu item and select Advanced. In the Security section, select the Use TLS 1.2 checkbox.
Related Links
See the following Microsoft documentation for additional information on the above registry keys.
Transport Layer Security (TLS) registry settings
Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows
Microsoft Security Advisory 2960358
Make sure that the latest Windows Updates are installed. If you are on Windows Vista or Server 2008, make sure that Microsoft KB4019276 is installed.
On versions of Windows before Windows 10 or Windows Server 2016, make sure that Microsoft KB3161949 is installed.