It turned out to be a load balancer in front of the server I was hitting. Silly me.
Disabling weak TLS Protocols from registry doesn't work (for us...)
Hi,
We have tried to disable weak SSL/TLS protocols on a windows 2016 server by setting the corresonding registry keys as suggested here:
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-10
We have created the following DWORDs:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
After a restart of the server a scan like https://www.ssllabs.com/ssltest/index.html still reports that the server supports TLS 1.0 and 1.1. We have cleared the scan cache after the change, so it shouldn't be a cached result. I also get a 200 OK response by
Invoke-WebRequest https://MyServer -SslProtocol Tls
If I use a tool like IISCrypto it reports that the protocols are disabled.
Any ideas regarding why these protocols are not being disabled by the registry keys above are very welcome!
2 additional answers
Sort by: Most helpful
-
Andy David - MVP 145.1K Reputation points MVP
2020-07-29T20:45:27.247+00:00 You really should disable client and server
-
Leon Laude 85,721 Reputation points
2020-07-29T20:49:05.527+00:00 Hi,
I've witnessed many auditing software that are not reporting these correctly, If I remember right Qualys was one of them.
The Windows registry never lies, and is the best place to check the correct values. I believe IISCrypto checks the Windows registry values as well and I've used IISCrypto for many customers without ever having any issues.
Do note that you have to modify the registry keys for both Server and Client.
Best regards,
Leon