20,213 questions
Did you disable the protocols using IISCrypto and reboot your server? Once you do that then those protocols are no longer available and the scan tool shouldn't find them anymore.
How to confirm IIS stops using TLS 1.0 and 1.1?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 19%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
Seekell, Roger
66
Reputation points
I have a new Windows Server 2022, and I just installed IIS.
I have followed the steps on https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/disable-tls-1-1dot1-mbam-servers and https://learn.microsoft.com/en-us/answers/questions/1093730/how-to-disable-in-os-and-iis-from-tls-and-ssl-1-0 to disable old versions of TLS, enable new versions, and "SchUseStrongCrypto".
But the "sslscan" tool still shows TLS 1.0 and 1.1 as enabled (https://github.com/rbsec/sslscan).
How do I know for sure that TLS 1.0 and 1.1 are disabled? And is there another step to stop IIS on Windows Server 2022 from using old versions of TLS?
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Michael Taylor 60,326 Reputation points2024-01-23T20:36:01.9433333+00:00 -
Seekell, Roger 66 Reputation points
2024-01-23T22:08:13.6566667+00:00 Hello. IIS Crypto 3.3 is showing that TLS 1.0 and 1.1 are disabled, both server and client. Is there another way to confirm that nothing on the system is talking TLS 1.0 or 1.1?
-
Seekell, Roger 66 Reputation points
2024-01-23T22:09:21.7233333+00:00 Hello. IIS Crypto 3.3 is showing that TLS 1.0 and 1.1 are disabled, both server and client. I disabled using the registry and rebooted before testing. Is there another way to confirm that nothing on the system is talking TLS 1.0 or 1.1?
-
Michael Taylor 60,326 Reputation points
2024-01-23T22:24:08.7933333+00:00 If you have disabled the protocols AND you rebooted the server (this is required) then the protocols are disabled.
Time to take a look at some other possible causes:
- Try connecting from a client using OpenSSL
openssl s_client -connect <url> -tls1. Does it work? - Are you using anything in between the client and server such as a proxy, load balancer, etc?
- Is there another web server installed on that machine such as Tomcat? Sometimes applications install web servers that you may not know about.
- Try connecting from a client using OpenSSL
-
Seekell, Roger 66 Reputation points
2024-01-24T13:20:50.54+00:00 Good morning. When I run openssl s_client -connect <IP:443> -tls1 (or -tls1_1), then it connects, showing protocol: TLSv1.0. This is direct server to server communication to a vanilla server with only IIS installed.
-
Seekell, Roger 66 Reputation points
2024-01-24T13:32:18.3633333+00:00 Good morning. I tried openssl s_client -connect <IP:443> -tls1 (and -tls1_1), and I got the result that it is connecting with protocol: TLSv1.0 (or v1.1). This is direct server-to-server communication to a vanilla server with IIS installed.
-
Michael Taylor 60,326 Reputation points
2024-01-24T15:13:41.7166667+00:00 That doesn't make any sense. I would recommend you try again:
- Enable TLS 1.x with IISCrypto (not a script)
- Reboot
- Disable TLS 1.x for the server protocol with IISCrypto (not a script)
- Reboot
- Test again
If that doesn't work then I don't know what is going on.
-
Seekell, Roger 66 Reputation points
2024-01-25T20:53:44.3633333+00:00 Hello, Michael. I enabled/disabled with IISCrypto as you suggested, and it worked. Now the server is not communicating on TLSv1.0 or 1.1. Now the next question is - what did IISCrypto do behind the scenes? I have a few hundreds servers on which to disable old versions of TLS, so opening the GUI on each one won't be an option. Thanks.
-
Michael Taylor 60,326 Reputation points
2024-01-25T21:10:38.3933333+00:00 The SSlCrypto page says they use an MS article that documents the registry changes to make. I don't know which changes they make explicitly. I also see they support automating this using the command line.
I know that people have successfully mimiced the registry edits and rebooted the server with success but I haven't done that myself. If I were to automate this I would probably consider just using the iiscrypto tool with a template that defines what I wanted enabled or disabled. But, again, I haven't used that approach as we just run the tool manually when needed.
-
Seekell, Roger 66 Reputation points
2024-01-26T15:15:58.5233333+00:00 Well, thank you for the information and dialogue, but I asked this question trying to understand why following Microsoft's documentation did not produce the expected result. We've established if I make the registry entries myself that it doesn't disable TLS 1.0/1.1 as expected. I don't want to use a third-party tool across hundreds of servers simply to change something that should be possible by registry and following Microsoft's instructions.
Sign in to comment -
-
Seekell, Roger 66 Reputation points
2024-02-01T20:14:36.9466667+00:00 After further testing, it seems that my PowerShell script to create the 1 or 0 registry keys for TLS was creating them in the wrong way. Instead, I used a good old-fashioned .reg file and "reg import", and after that (and a reboot), the servers correctly disabled old TLS protocols! Seems the issue was on my end. Thanks for the conversation, Michael Taylor!