TLS 1.2 in Windiows 7

6 Comments

Windows 7 includes support for TLS 1.1 and TLS 1.2. I’ve been running with enabled 1.2 support for a while now and no problems at all, so I figured I’d share how to enable it. You need to import these 4 reg keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000

This will allow Win7 to use TLS 1.1 and 1.2, but that will work for apps that don’t explicitly ask for the TLS version they want to use. IE is one of those that want to be in control, so you need to tell it explicitly that you want it to use the new versions of TLS. To do that, you need to check the 1.1 and 1.2 checkboxes under Tools->Internet Options->Advanced->Security.

After you’ve done that, one may wonder how to check if this actually works. You can go to one of the few TLS interop servers available on the net. Here are a few that I know of which support TLS 1.2:

In general, you can check the page’s properties for the connection info. Going to Mike’s toolbox site IE shows “TLS 1.2, AES with 128 bit encryption (High); RSA with 1024 bit exchange”.

Hopefully enough people will support TLS1.2 soon enough so the world can move on : )

Tags: , , , , ,

6 Responses to “TLS 1.2 in Windiows 7”

  1. Greg Says:

    Hi, I wanted to try this out. (1) I first backed up my registry. (2) I merged the four keys that you have listed above into my registry and rebooted my computer. (3) How do you enable these keys?

    Thanks

  2. Nasko Says:

    This enables the OS to support the new protocols. If you want to use them in IE, you need to explicitly go to the Internet Options panel to enable it in the Advanced pane.

  3. Greg Says:

    Thanks for the speedy response. What about for Firefox? I’m currently using Firefox 6.02, but in the Tools-Options-Encryption-Protocols settings of Firefox 6.02 the check boxes only has SSL 3.0 and TLS 1.0. Does that mean that Firefox only supports those protocols because it is explicitly showing the check boxes irrespective of what Win 7 supports?

  4. Nasko Says:

    Firefox does not use the Windows SSL implementation. They have their own library (NSS), which implements SSL and TLS. As far as I know, they currently don’t have anything above TLS 1.0.

  5. Greg Says:

    I appreciate your response and information. Based on your experience, what web browser do you recommend, or do you use a combination of web browsers dependent on the task that you want to do?

  6. Nasko Says:

    I would consider myself a fairly technical user, so my setup will be hard for the average person to use. That said, I use multiple browsers and virtual machines, so it is hard to recommend what I do to other people.

Leave a Reply

You must be logged in to post a comment.