Share via

SchUseStrongCrypto registry value: does WIndows negotiation include older TLS versions?

nimi 91 Reputation points
2022-02-01T06:07:48.02+00:00

SchUseStrongCrypto registry value: does WIndows negotiation include older TLS versions?

We're finding that powershell (in particular) is trying to use TLS versions older than 1.2, for example when trying to connect to the powershell gallery with powershellGet, or using the Invoke-RestMethod cmdlet.

As a temporary workaround we usually type this command in powershell, or add it to our scripts '[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12'

But we have found that by creating the SchUseStrongCrypto and SystemDefaultTlsVersions registry values as per https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net we don't need this workaround.

We'd like to set these registry values on all our servers. Could you confirm please that if the server is trying to connect to an old one such as Windows 2003 which cannot do TLS 1.2, it will negotiate to use an older TLS version? With these registry values set I mean of course.

Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. abbodi86 4,041 Reputation points
    2022-02-02T10:39:19.62+00:00

    SchUseStrongCrypto disable SSL3 protocol and TLS weak ciphers (RC4/DES/MD5...), and enable/set set ServicePointManager.SecurityProtocol to all TLS protocols (including Tls 1.3 if supported)

    SystemDefaultTlsVersions set ServicePointManager.SecurityProtocol to SystemDefault, which inherit the defaults from the Windows Schannel DisabledByDefault registry values
    if DisabledByDefault is not defined for the protocol, then it depends on the OS version and installed updates for older versions
    https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

    with my test on Windows 8.1, neither of SchUseStrongCrypto and SystemDefaultTlsVersions registry values will disable older TLS versions, and it can still be negotiated and used

    you can check in powershell for the current value 

    [Net.ServicePointManager]::SecurityProtocol

    and test against specific TLS version checkers 

    Invoke-WebRequest https://tls-v1-0.badssl.com:1010  
Invoke-WebRequest https://tls-v1-1.badssl.com:1011  
Invoke-WebRequest https://tls-v1-2.badssl.com:1012

    or 

    (Invoke-WebRequest https://www.ssllabs.com:10300).Content  
(Invoke-WebRequest https://www.ssllabs.com:10301).Content  
(Invoke-WebRequest https://www.ssllabs.com:10302).Content  
(Invoke-WebRequest https://www.ssllabs.com:10303).Content
    0 comments
  2. Limitless Technology 39,931 Reputation points
    2022-02-03T15:35:19.21+00:00

    Hello @nimi

    That is correct,

    "The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. "
    Reference: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#bkmk_net

    Additionally you can read more about the setting and operability framework here: https://learn.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/2960358#advisory-faq

    Hope this helps with your query,

    ---------
    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.