SchUseStrongCrypto registry value: does WIndows negotiation include older TLS versions?

nimi 91 Reputation points
2022-02-01T06:07:48.02+00:00

SchUseStrongCrypto registry value: does WIndows negotiation include older TLS versions?

We're finding that powershell (in particular) is trying to use TLS versions older than 1.2, for example when trying to connect to the powershell gallery with powershellGet, or using the Invoke-RestMethod cmdlet.

As a temporary workaround we usually type this command in powershell, or add it to our scripts '[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12'

But we have found that by creating the SchUseStrongCrypto and SystemDefaultTlsVersions registry values as per https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net we don't need this workaround.

We'd like to set these registry values on all our servers. Could you confirm please that if the server is trying to connect to an old one such as Windows 2003 which cannot do TLS 1.2, it will negotiate to use an older TLS version? With these registry values set I mean of course.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,377 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,170 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,381 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. abbodi86 3,776 Reputation points
    2022-02-02T10:39:19.62+00:00

    SchUseStrongCrypto disable SSL3 protocol and TLS weak ciphers (RC4/DES/MD5...), and enable/set set ServicePointManager.SecurityProtocol to all TLS protocols (including Tls 1.3 if supported)

    SystemDefaultTlsVersions set ServicePointManager.SecurityProtocol to SystemDefault, which inherit the defaults from the Windows Schannel DisabledByDefault registry values
    if DisabledByDefault is not defined for the protocol, then it depends on the OS version and installed updates for older versions
    https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

    with my test on Windows 8.1, neither of SchUseStrongCrypto and SystemDefaultTlsVersions registry values will disable older TLS versions, and it can still be negotiated and used

    you can check in powershell for the current value 

    [Net.ServicePointManager]::SecurityProtocol

    and test against specific TLS version checkers 

    Invoke-WebRequest https://tls-v1-0.badssl.com:1010  
Invoke-WebRequest https://tls-v1-1.badssl.com:1011  
Invoke-WebRequest https://tls-v1-2.badssl.com:1012

    or 

    (Invoke-WebRequest https://www.ssllabs.com:10300).Content  
(Invoke-WebRequest https://www.ssllabs.com:10301).Content  
(Invoke-WebRequest https://www.ssllabs.com:10302).Content  
(Invoke-WebRequest https://www.ssllabs.com:10303).Content
    0 comments
  2. Limitless Technology 39,371 Reputation points
    2022-02-03T15:35:19.21+00:00

    Hello @nimi

    That is correct,

    "The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. "
    Reference: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net

    Additionally you can read more about the setting and operability framework here: https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358#advisory-faq

    Hope this helps with your query,

    ---------
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments