Disabling TLS1.0 and SSL3 in development enviroment

Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which is now deprecated by the Internet Engineering Task Force (IETF) – are cryptographic protocols that provide communications security over a computer network. Transport Layer Security - Wikipedia

The process of disabling TLS1.0 and SSL3 is something I forget between everytime I need to do that in my development enviroment. The reason I turn it off and on again is normally because I need to test some services without TLS1.0 and SSL3, but all the time I have done that there comes a need to enable it again. It is time to document it so I do not need to search around how it is done one more time.

The blog post I found from Microsoft is disabling it on a Windows 2008 R2, but I found it to be the same at my Windows 10 developer machine. The whole process is going on inside the registry (regedit).

First I found the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\. To start with TLS1.0, the registry key it should be a key named TLS 1.0 and that should have a key called Client and one called Server below. Create a DWORD (32-bit) key inside both Client and Server with the value 0.

At the same level as TLS1.0, it should be TLS 1.1 and TLS 1.2. At my developer machine the two last one did not exists, so I created them and also created a Client and a Server key below both of them.

When they are created, it is time to create one DWORD 32-bit key in each of the four keys that is names DisabledByDefault and set the value to 0.

Now it is time to disable SSL3. This is done in a very similar way, so the registry key: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server. Create a DWORD key at that location with the name Enabled and give i a value of 0.

To make the changes take place it is needed to restart the machine and when it is up and running again TLS1.0 should be dissabled.

In both cases, there might be that some part of the registry key do not exists. That can just be created so the path will be correct.

Links

blogs.microsoft.com: Disabling TLS 1.0 on your Windows 2008 R2 server – just because you still have one

Teis Lindemark

Software developer, beer brewer and AGENT backer

Bergen, Norway https://teilin.net