Short version:
Create a text file named end with .reg and import it to the registry. Reboot.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000a00Long version:
As TLS 1.0 isn´t any longer "secure" every administrator should plan to make the switch to TLS 1.1 and TLS 1.2. Microsoft now released KB3140245 which allows Administrators to specify which SSL protocols should be used when the WINHTTP_OPTION_SECURE_PROTOCOLS flag is used (e.g. in every Microsoft Office product as explained here).
According to KB3140245 this can be controlled via DefaultSecureProtocols in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
(and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp for wow64 applications).
The possible options here are:
| DefaultSecureProtocols Value | Protocol enabled |
|---|---|
| 0x00000008 | Enable SSL 2.0 by default |
| 0x00000020 | Enable SSL 3.0 by default |
| 0x00000080 | Enable TLS 1.0 by default |
| 0x00000200 | Enable TLS 1.1 by default |
| 0x00000800 | Enable TLS 1.2 by default |
| 0x00000A00 | Enable TLS 1.1 + 1.2 |
Option 4 +5 are directly from the Microsoft website. However what most administrators do not know is that you can combine the hex values 00000200 and 00000800 (e.g. with an calculator in programmer mode) to get 00000a00. So option 3 would allow you to disable TLS 1.0 (as well as SSL 2.0 and 3.0) but allow TLS 1.1 and TLS 1.2 at the same time to allow a wider range of compatibility.
Solution:
Modify the registry according to the description given or simply import the file provided on the short version.
Microsoft has also provided a fixit tool to help you solve the problem automatically.
Download
0 comment