Categories
Technical

How to Disable/Enable SSL/TLS protocols in Windows Server?

Find the steps to enable or disable the SSL/TLS protocols in Windows Server. Here the screenshot taken from Windows Server 2016. Same steps will be applicable for all the Windows Server version.

Step 1: Open Registry Editor using the command regedit from run window.

Step 2: Move to below path in the left side pane of registry editor.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

Step 3:  You can find the protocols list under the specified path. If you couldn’t find the any protocols/only few protocol versions, you no need to worry, we can create the needed protocols newly.  I have explained about how to add new key in below sections.  

Screenshot with no protocols listed.

We should follow the same steps to enable/disable any SSL/TLS protocols, currently available protocols are SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.

Here I have taken an Example for TLS 1.0, but this should be same for other protocols TLS 1.1, TLS 1.2, and TLS 1.3, SSL 2.0 and SSL 3.0 too. Only difference is, you need to mention the right version as Key name.

1. Check whether the TLS 1.0 listed under Protocols folder.  

2. If TLS 1.0 Not Exists, If TLS 1.0 Exists -> Go to Step 5.

3. Create new Key called “TLS 1.0”. To create new key, Right click on Protocols -> New -> Key.

4. Enter the Key name as “TLS 1.0” (exact Protocol name, in this case if you need to create key for TLS 1.1, you should enter the name as “TLS 1.1, same as other protocols.”).

5. Then, create two new keys, under the TLS 1.0 by Right click on TLS 1.0 -> New -> Key. Key Names are Client and Server like below,

Note: If TLS 1.0 Key already exists and Client and Server keys are existing inside that, then no need to create new keys for Client and Server. Just create/Update the DWORD based on existing entry.

6. Then select the Client folder, under this create new DWORD.  Right click on Client -> New -> DWORD.

7. Provide the Name of DWORD as DisabledByDefault in right side pane. 

8. Set the Value as 1 to disable the TLS 1.0. To Enable TLS 1.0, we should set the value as 0.

9. Create another DWORD like above step under the Client, name this DWORD as Enabled. Set the Value as 0. This required to disable this protocol. To Enable TLS 1.0, we should set the value as 1.

10. Do the same step d, e and f for Server folder like create two new DWORDs called DisabledByDefault and Enabled and set the Value as 1 and 0 respectively. This will disable the TLS 1.0. Setting the value 0 and 1 respectively enable it.

Note: Make sure Client and Serve both has same settings under the TLS 1.0 Key.

11. You can modify the DWORD by right click on it, and then select modify option.

To Disable SSL/TLS, DWORDs and their Values should be like below,

To Enable SSL/TLS, DWORDs and their values should be like below,

The common issue we face while disable TLS 1.0, and TLS 1.1 is

“The client and server cannot communicate, because they do not possess a common algorithm”.

Cause for this Issue: This issue occurs when we disable the TLS 1.0 and TLS 1.1 protocols in Hosted Server and the application which running in this server makes connection with other server which has support only for protocols TLS 1.0 and TLS 1.1.

Hence Hosted Server only support TLS 1.2, since TLS 1.0 and TLS 1.1 has been disabled, and the other server only supports TLS 1.0 and TLS 1.1.  So, conflict between the connection algorithm.

Real Time case:  You might host your site (www.mydomain.com) in Server where you disabled TLS 1.0 and TLS 1.1. Then this site connected to the Database which exits in another server. Following error might be thrown “The client and server cannot communicate, because they do not possess a common algorithm”.

Fix: To fix this problem, you need to check the TLS protocol compatibility support SQL Server which installed in communicating server. Installed SQL server might only support for the protocols TLS 1.0, and TLS 1.1 and not support TLS 1.2 From SQL Server 2016 gives default support to TLS 1.2. To older version you need give patch update or upgrade the newer version.

Check the TLS 1.2 supported SQL Server version details and patch fixes here.

https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

Leave a Reply

Your email address will not be published. Required fields are marked *