question

BrianGreig-5290 avatar image
0 Votes"
BrianGreig-5290 asked NickMKulkarni-8993 answered

Is there a way to emable TLS 1.0 and/or 1.2 on Edge Chromium?

I know TLS 1.0 and 1.2 have been disabled on Edge Chromium since 84 - link.

However, I need to be sure they have been removed or permanently disabled. I want to be 100% that there is no way a user can somehow enable them.

There are sources on the internet that indicate that if you enable 1.0 and 1.0 in internet options this also enables them in Edge. I don't seem to be able to replicate this though.

Also if I visit https://browserleaks.com/ssl using Edge 92 on a friend's company laptop 1.0 and 1.1 seem to be enabled. My knowledge of what settings or policy is set there is obviously limited though.

Can anyone provide and details/documentation on this?

Thanks in advance.


ms-edge
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YuZhou-MSFT avatar image
0 Votes"
YuZhou-MSFT answered BrianGreig-5290 commented

Hi @BrianGreig-5290

As the doc describes, TLS 1.0/1.1 will remain disabled by default in Microsoft Edge version 84 and later. If you want to enable them manually, you can refer to the following steps:

  1. Open Edge and navigate to edge://flags/.

  2. Type TLS in the search bar.

  3. Change the value of Enforce deprecation of legacy TLS versions to Disabled.

  4. Restart Edge.

After finishing the above steps, when you visit https://browserleaks.com/ssl again in Edge, it will show TLS 1.0 and TLS 1.1 enabled.

118099-image.png


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Regards,
Yu Zhou


image.png (51.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That is what I was looking for. I knew there had to be a sneeky way to reanable TLS 1.0 and 1.1.

So to restrict users from making that change I have the policy setting "Block access to a list of URLs" set to deny access to "edge://flags".

Thanks for your help.

0 Votes 0 ·
DonPickard-7259 avatar image
0 Votes"
DonPickard-7259 answered NickMKulkarni-8993 commented

we set this policy (value=1.2) via GPO in our enterprise and it is VERY effective to block user override for old/bad TLS.
https://docs.microsoft.com/en-au/DeployEdge/microsoft-edge-policies#sslversionmin


when I use EdgeChromium v92 to test browserleaks, it show TLS1.0/1.1 disabled, except if I enable the IEMode feature on that browserleaks page, if I do that, TLS1.0/1.1 are enabled because IEMode/IE11 currently allow old TLS by default.

I manage an enterprise corporate desktop ecosystem and we have a couple of very old intranet webapps which still use old TLS, we use IEMode to allow those.

So, I don't trust that reference site you quoted (Fourth/hotschedules), I think its simply wrong or very outdated, as some of the feedback on the site itself suggests.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Thanks for the response.

I did see that policy setting but...

"Support for suppressing the TLS 1.0/1.1 warning will be removed from Microsoft Edge starting in version 91 (around May 2021) and this policy will stop working then."

0 Votes 0 ·

"Support for suppressing the TLS 1.0/1.1 warning will be removed from Microsoft Edge starting in version 91 (around May 2021) and this policy will stop working then."

Exactly, the instructions to search for TLS in settings now produce "no results"

0 Votes 0 ·
NickMKulkarni-8993 avatar image
0 Votes"
NickMKulkarni-8993 answered

I am trying to do the opposite and make sure that TLS 1.2 is enabled. The old settings in Internet Explorer and inetcpl.cpl are ticked on but the registry key I am used to seeing in HKLM under security providers/protocol is turning up empty in quite a few of my Windows 10 21H2 computers on our network.

Anyone got any ideas about how to check this now IE has been deprecated and slated for removal?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.