Newbie: Verify TLS 1.2 on Win7

system center 46 Reputation points
2020-11-17T10:18:38.98+00:00

Win7-SP1: I need to verify if TLS 1.2 is enabled or not

My understanding is as follows for the PCs I manage:

Per the existing SChannel registry:
40276-schannel.jpg

Missing Protocol entries imply usage of Win7 OS Defaults. Hence:

Enabled: TLS 1.0; SSL 3.0 (Win7 default)
Disabled: SSL 2.0 (explicitly in registry) and TLS 1.1 / 1.2 (Win7 default)
Also, various components maintain their TLS preferences (IE, .NET, Powershell, Custom Apps, IIS etc.) in their own registry/other locations.

But eventually, a protocol is selected only if it is NOT disabled in the underlying SCHANNEL

Based on the above, I have observed a confusing behavior In the Event Logs, I can see a successful TLS 1.2 connection
40402-tls12.jpg

I would expect TLS 1.2 to not work, since by default it is disabled in Win7, and there is no explicit registry key under Schannel/Protocols to enable it

Could someone please simplify what I am missing? Thanks

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,294 questions
0 comments No comments
{count} votes

Accepted answer
  1. abbodi86 3,876 Reputation points
    2020-11-17T15:27:21.587+00:00

    DisabledByDefault (or lack of it) does not mean it's totally disabled
    https://stackoverflow.com/a/51962330

    this mean on Windows 7 (with default SChannel registry), apps or components can still negotiate and enable TLS 1.2 on their own per request

    like Windows Update, which communicate with https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
    or powershell

    $Tls12 = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072); [System.Net.ServicePointManager]::SecurityProtocol = $Tls12; Invoke-WebRequest -Uri https://www.howsmyssl.com/a/check | ConvertFrom-Json
    

    if you want to enable TLS 1.2 for all by default, then add the required registry for the 4 parts (SChannel, IE11, WinHTTP, .NET)

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 36,166 Reputation points Microsoft Vendor
    2020-11-18T09:03:23.937+00:00

    Hi,

    To disable the TLS 1.2 protocol, you can create an Enabled entry in either the Client or Server subkey in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
    and set the DWORD value data to 0

    tls-12-registry-setting.png

    https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#:~:text=To%20disable%20TLS%201.2%20for,the%20DWORD%20value%20to%201.

    Best Regards,
    Ian

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.