ENABLE OUTBOUND TLS 1.1 AND 1.2 ON WINDOWS SERVER

WINDOWS 2012 R2 AND WINDOWS 2008 R2

In my case, I have a simple website which has it’s own sub-application (not just a virtual folder) which uses the DefaultAppPool which, in turn, uses .NET v4.0:

windows-2012-r2-apppool

This particular app creates outbound HTTPS requests and gets an answer, as well as content. With the standard, out of the box installation, the connection will fail and be rejected because the host server is only set to allow TLS 1.1. and higher connections.

We need to tell Windows to allow higher connections and, in fact, default to them.

Ready? It is so easy:

Open regedit. There are two places you need to add a key to get get strong cryptography:

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > .NETFramework > v4.0.30319

HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Microsoft > .NETFramework > v4.0.30319

The new DWORD to add: SchUseStrongCrypto
And it’s value: 1 (or as it appears 00000001)

As you can see below, I have exported the keys with the new values added. AspNetEnforceViewStateMac  is the default key that already exists.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"AspNetEnforceViewStateMac"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

Note: this appears to be a parent configuration for all the SKUs keys beneath this folder. I have NOT tested with other versions of .NET that are in the SKUs key folder. If something fails, simply add the key to each one you are using.

Here are some images to help you along:

Have SchUseStrongCrypto already copied and ready to CTRL+v before you begin. Open regedit and scroll down to the first key HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > .NETFramework > v4.0.30319. Right click > New > DWORD (32-bit) Value. Paste SchUseStrongCrypto into where it says “New Value #1”. If you make a mistake, just delete the key, then try again. 

windows-2012-r2-addregkey

Then right click > Modify.

windows-2012-r2-modify-dword-value

Then simply change the default value of 0 to 1 and click Ok.

windows-2012-r2-update-dword-value

Restart the machine.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir