2

I have an ASP.NET MVC web service hosted in Microsoft Azure Cloud Services (as a web role) currently targeting .NET Framework 4.5.2 and configured to run on Windows Server 2012. I need to migrate it to .NET Framework 4.7.2 and Windows Server 2019. All goes just fine except...

Windows Server 2012 is configured such that IIS allows TLS 1.0, TLS 1.1 and TLS 1.2 by default but Windows Server 2019 has IIS configured to only allow TLS 1.2 This may break some of the clients so I'd like to temporarily enable TLS 1.0 and 1.1 in Windows 2019 and then later talk to the clients and disable all but TLS 1.2

I found this answer which suggests that I change the registry keys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

and put

"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

in there. (I also tried dword:00000001 instead of dword:ffffffff - no difference) I included this as a startup task such that necessary changes are imported into the registry.

It doesn't help. I use https://www.ssllabs.com/ssltest to check the available TLS modes. It says only TLS 1.2 is allowed both before and after the change. It properly showed that 1.0, 1.1 and 1.2 were available for Windows Server 2012.

How do I have TLS 1.0 and 1.1 enabled?

sharptooth
  • 167,383
  • 100
  • 513
  • 979
  • Did you resolve this issue? We have the exact same issue you are facing. Any help would be great. – StefanHa Jun 03 '19 at 07:02
  • @StefanHa Not yet. We filed a support ticket and now we're waiting for a documentation update which is expected to solve the problem. So far we just keep running our service on Windows Server 2012. – sharptooth Jun 03 '19 at 09:12
  • I found a solution in the meantime. We used this tool https://www.nartac.com/Products/IISCrypto/ on our DEV server. This enabled the TLS 1.0 and 1.1. This tool adds some Cipher Suites which is needed for the older TLS. We are adding a batch file to the the ServiceConfiguration,cscfg now which enables the right Registry Settings via the Startup tag. https://learn.microsoft.com/nl-nl/azure/cloud-services/cloud-services-startup-tasks. Hope this helps – StefanHa Jun 03 '19 at 10:52
  • Btw TLS 1.0 is not supported anymore since june 2018 so you should not care about it. TLS 1.1 will be deprecated probably next year. – Thomas Jun 06 '19 at 09:40
  • @Thomas Whatever. We still cannot drop them suddenly because that could break some clients. – sharptooth Jun 06 '19 at 10:19
  • @StefanHa Microsoft published this https://learn.microsoft.com/en-us/azure/cloud-services/applications-dont-support-tls-1-2 which is mostly the same as the accepted answer https://stackoverflow.com/a/57667486/57428 - certain ciphers must be added and then the machine has to be rebooted. – sharptooth May 12 '20 at 14:35

2 Answers2

2

Add the cipher suites for TLS 1.0/1.1. Complete script (run as admin):

$suites = @(
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'  ,
    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'  ,
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256'  ,
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384'  ,

    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA'   ,
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA'   ,
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA'     ,
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA'     ,
    'TLS_RSA_WITH_AES_256_GCM_SHA384'        ,
    'TLS_RSA_WITH_AES_128_GCM_SHA256'        ,
    'TLS_RSA_WITH_AES_256_CBC_SHA256'        ,
    'TLS_RSA_WITH_AES_128_CBC_SHA256'        ,
    'TLS_RSA_WITH_AES_256_CBC_SHA'           ,
    'TLS_RSA_WITH_AES_128_CBC_SHA'           
)

$registry = @(
    @{Path='HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server';Name='DisabledByDefault';Type='DWord';Value=0},
    @{Path='HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server';Name='Enabled';Type='DWord';Value=1},
    @{Path='HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server';Name='DisabledByDefault';Type='DWord';Value=0},
    @{Path='HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server';Name='Enabled';Type='DWord';Value=1},
    @{Path='HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002';Name='Functions';Type='String';Value=$suites -Join ','}
)

$reboot = $null
foreach ($row in $registry) {
    if (-Not(Test-Path $row.Path)) {
        New-Item -Path $row.Path -Force | Out-Null
    }

    try {
        $val = Get-ItemPropertyValue -Path $row.Path -Name $row.Name
    } catch {
        $val = $null
    }

    if ($val -ne $row.Value) {
        $reboot = $true
        Set-ItemProperty -Path $row.Path -Name $row.Name -Type $row.Type -Value $row.Value -Force
        Write-Host "$($row.Path)!$($row.Name)=$($row.Value)"
    }
}

if ($reboot -eq $true) {
    Write-Host "Rebooting now..."
    shutdown.exe /r /t 0 /c "Rebooting for registry changes to take effect" /f /d p:2:4
}
Kanchan
  • 56
  • 2
  • Is this documented anywhere? – sharptooth Aug 27 '19 at 09:43
  • [Get-TlsCipherSuite](https://learn.microsoft.com/en-us/powershell/module/tls/get-tlsciphersuite?view=win10-ps) provides the list. You can run this on WS2016 or look at SSLLabs pointed to a WS2016 server. – Kanchan Aug 27 '19 at 23:18
  • [TLS Cipher Suites in Windows 10 v1903](https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1903) has details on the cipher suites and TLS versions. – Kanchan Aug 27 '19 at 23:24
  • It's now documented here https://learn.microsoft.com/en-us/azure/cloud-services/applications-dont-support-tls-1-2 (Troubleshooting applications that don’t support TLS 1.2) Yes, adding certain ciphers is required. A reboot is also required for the changes to take effect. This is very unfortunate for cloud service web roles. – sharptooth May 12 '20 at 14:33
0

You could use below Powershell script to enable tls 1.0 and 1.1:

    [CmdletBinding()]
Param(
[Parameter(Mandatory=$True)]
[ValidateSet("SSL30","TLS10","TLS11","TLS12")]
[string]$Proto,
[ValidateSet("Client","Server")]
[string]$Target,
[Parameter(Mandatory=$True)]
[ValidateSet("Enable","Disable")]
$Action)

Function CheckKey{
param(
[string]$Proto
)
$RegKey = $null

switch ($Proto){
   SSL30 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"}
   TLS10 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0"}
   TLS11 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"}
   TLS12 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"}
   default{"Not supported protocol. Possible values: SSL30, TLS10, TLS11, TLS12"
            exit}
  }
return $Regkey
}

$RegKey = CheckKey -Proto $Proto
[string[]]$TargetKey = $null
if(!($Target)){
  Write-Host "Setting up both Client and Server protocols"
  $TargetKey = $(Join-Path $RegKey "Client").ToString()
  $TargetKey += $(Join-Path $RegKey "Server").ToString()
  if(!(Test-path -Path $TargetKey[0])){
       New-Item $TargetKey[0] -Force
   }
  if(!(Test-path -Path $TargetKey[1])){
       New-Item $TargetKey[1] -Force
    }
  } 
else{
  Write-Host "Setting up $Target protocols"
  $TargetKey = $(Join-Path $RegKey $Target).ToString()
  if(!(Test-path -Path $(Join-Path $RegKey $Target))){
       New-Item $TargetKey -Force   
    }
 }

Function SetProto{
param(

[string[]]$TargetKey,
[string]$Action
)

foreach($key in  $TargetKey){
   try{
       Get-ItemProperty -Path $key -Name "Enabled" -ErrorAction Stop | Out-Null
       if($Action -eq "Disable"){
          Write-Host "`t`Updating $key"                     
          Set-ItemProperty -Path $key -Name "Enabled" -Value 0 -Type "DWord"
         }
       else{
          Write-Host "`t`Updating $key"
          Set-ItemProperty -Path $key -Name "Enabled" -Value 1 -Type "DWord"
         }
      }Catch [System.Management.Automation.PSArgumentException]{
          if($Action -eq "Disable"){
             Write-Host "`t`Creating $key"
             New-ItemProperty -Path $key -Name "Enabled" -Value 0 -PropertyType "DWord"
            }
          else{
             Write-Host "`t`Creating $key"
             New-ItemProperty -Path $key -Name "Enabled" -Value 1 -PropertyType "DWord"
           }
       }

try{
     Get-ItemProperty -Path $key -Name "DisabledByDefault" -ErrorAction Stop | Out-Null
     if($Action -eq "Disable"){
        Write-Host "`t`Updating $key"
        Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -Type "DWord"
       }
     else{
        Write-Host "`t`Updating $key"
        Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -Type "DWord"
        }
     }Catch [System.Management.Automation.PSArgumentException]{
        if($Action -eq "Disable"){
           Write-Host "`t`Creating $key"
           New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"
          }
        else{
           Write-Host "`t`Creating $key"
           New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -PropertyType "DWord"
          }
     }
  }
}

SetProto -TargetKey $TargetKey -Action $Action

Write-Host "The operation completed successfully, reboot is required" -ForegroundColor Green

Use the Network monitoring tool to check which protocol site is using. Microsoft Network Monitor

Do not forget to restart the machine after enabling or disabling the protocol.

Neeraj Kumar
  • 771
  • 2
  • 16
  • 37
Jalpa Panchal
  • 8,251
  • 1
  • 11
  • 26