Enabling TLS 1.1/1.2 on Windows Server 2008 SP2 still not possible


first for those of you, who might think, this question has been asked so many time before so it is a useless duplicate...

  1. I cannot (yet) comment on other questions, so my only option on this is to ask new question.
  2. I've searched and read the following articles on different portals online, but still have no solution for my particular problem:

The official article from Microsoft here, also the TechNet articles article #1 and article #2. Then I went for more information on MSFN and Stackexchange. I've also read this SF post, where I originally wanted to post a comment. Unfortunately all was to no avail...

So what is the problem? It is that famous problem for enabling TLS 1.1/1.2 on MS Windows Server 2008 SP2, which in my case turns out to be a nightmare. I've a VM with MS Windows 2008 SP2 running inside, the OS is patched and up-to-date. I've tried to install these Microsoft Standalone Updates KB4019276 and KB4056564, as recommended by the posters in the MSFN article, but I'm unable to install them (both x86 and x64, also tried all patch dates, not only the newest one). I get this response from the OS: The update does not apply to your system. I've then thought, these patches must be already installed at some earlier time point and indeed - the KB4056564 has been installed. So I went to manually modify the registry according to above mentioned article from SF. I've modified the registry, restarted the VM and wanted to configure the MSIE 9 in order to allow the TLS 1.1/1.2 security protocols - to my bitter surprise these were not available.

I need this VM up and running with TLS 1.1/1.2 support asap, and have already spend many days of research and trials to solve the issue, but I'm still looking for the solution... I'd be very, very thankful, if you fellows can help me be it with pointing me to the right direction or providing with the solution for this yet nightmare-like issue...!

Edit #1: Currently I'm not allowed to use the IISCrypto application, nor any other third-party one, which access and modifies the machine's registry or overall system configurations...

Edit #2: Here are the registry items, which I created manually. I've also tried with Enabled values of 0xFFFFFFFF, did a machine restart, but still there was no effect of this change, so I've turned the values back to 0x1.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client 
    DisabledByDefault REG_DWORD 0x0 
    Enabled REG_DWORD 0x1 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server 
    DisabledByDefault REG_DWORD 0x0 
    Enabled REG_DWORD 0x1 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client 
    DisabledByDefault REG_DWORD 0x0 
    Enabled REG_DWORD 0x1 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server 
    DisabledByDefault REG_DWORD 0x0 
    Enabled REG_DWORD 0x1 

Edit #3: After a detailed review of what updates/patches have been installed/applied on the machine for the last two years, I've found that the KB4019276 has been applied on 2017-11-27 and KB4056564 has been applied on 2018-06-03. For KB4339093 I'm not sure - I'll search for this update, but I'd assume it is applied if the patch is older than a month as the machine is kept up-to-date at least once in a month.

Edit#4: The version of MS Internet Explorer running on the machine is 9.0.8112.16421, Update Versions 9.0.95 (KB4339093). @bcs78, the IE Update which you mentioned in your comment has been applied on 2018-07-30.

Edit #5: I'm unable to export the requested part of the system registry (the command reg query "HKLM\SOFTWARE\Microsoft\InternetExplorer\AdvancedOptions\CRYPTO\" /s), because I'm getting the error ERROR: The system was unable to find the specified registry key or value.. It seems all registry entries under the HKLM\SOFTWARE\Microsoft\InternetExplorer are somehow "locked"... But this very same "locked" effect does also exist on another machine (with Win2k12R2), where the TLS 1.1/1.2 communication functions properly.

I was able to export the related CRYPTO-keys directly from the Registry Editor:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1]
"RegPoliciesPath"="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
"RegPath"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
"Text"="TLS 1.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2]
"RegPoliciesPath"="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"
"RegPath"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet   Settings"
"Text"="TLS 1.2"

The very same content exists also in the 32-bit portion of the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO.

I'm finally allowed to use the IISCrypt on the machine (it has been taken off from the production farm) and I can see only TLS 1.0 as supported SChannel Protocol - not TLS 1.1 nor TLS 1.2. Interesting enough, after the today's patching of the machine, the Internet Options dialog box started to show in the Advanced Tab/Security section all the enabled TLS Protocols (TLS 1.0, TLS 1.1 and TLS 1.2).

And the SSL Labs tests show the same result as previously: SSL Labs: "The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C"...

So, what else could be needed in order to finally get those TLS-protocols activated...?

Many thanks in advance!


asked on Server Fault Aug 8, 2018 by Ramanagom • edited Aug 12, 2018 by Ramanagom

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0