How To Enable TLS 1.2 On Windows Server

How To Enable TLS 1.2 On Windows Server

VPCart recommends enabling and using the TLS 1.2 protocol on your server. TLS 1.2 has improvements over previous versions of the TLS and SSL protocol which will improve your level of security. By default, Windows Server 2008 R2 does not have this feature enabled. This article will describe the process to enable this.

For Windows Server 2008 only

Please refer the following URL for apply Microsoft patch to update winhttp component.

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

For Windows Server 2008 and 2012

Note: You will be editing the registry. This could have detrimental effects on your computer if done incorrectly, so it is strongly advised to make a backup.

  1. 1. Start the registry editor by clicking on "Start" and "Run". Type in "regedit" into the "Run" field (without quotations).

  2. 2. Highlight "Computer" at the top of the registry tree. Backup the registry first by clicking on "File" and then on "Export". Select a file location to save the registry file.

  3. 3. Browse to the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  4. 4. Right click on the "Protocols" folder and select "New" and then "Key" from the drop-down menu. This will create new folder. Rename this folder to "TLS 1.2".

  5. 5. Right click on the "TLS 1.2" key and add two new keys underneath it.

  6. 6. Rename the two new keys as:
    • Client
    • Server
  7. 7. Right click on the "Client" key and select "New" and then "DWORD (32-bit) Value" from the drop-down list.

  8. 8. Rename the "DWORD" to "DisabledByDefault".

  9. 9. Right-click the name "DisabledByDefault" and select "Modify..." from the drop-down menu.

  10. 10. Ensure that the "Value" data field is set to "0" and the "Base" is "Hexadecimal". Click on "OK".

  11. 11. Create another "DWORD" for the "Client" key as you did in Step 7.

  12. 12. Rename this second "DWORD" to "Enabled".

  13. 13. Right-click the name "Enabled" and select "Modify..." from the drop-down menu.

  14. 14. Ensure that the "Value" data field is set to "1" and the "Base" is "Hexadecimal". Click on "OK".

  15. 15. Repeat steps 7 to 14 for the "Server" key (by creating two DWORDs, "DisabledByDefault" and "Enabled", and their values underneath the "Server" key).

  16. 16. Reboot the server.
 

Your server should now support TLS 1.2.

Note: This article cannot be used on a Windows Server 2003 (IIS 6). Windows Server 2003 does not support the TLS 1.2 protocol.

Reverting Back

If you make a mistake or something just isn't right, you can revert back to your previous registry settings by opening the Registry Editor and importing the backup you made in step 2.

ADDITIONAL NOTE FOR SITES USING SQL SERVER DB

Note
: If you are using local SQL Server Db (hosted on your own server), you can ignore this note.

If your server has been disabled the support for TLS 1.0 and TLS 1.1 and only allow for TLS 1.2, most probably you will get this error if your site is using SQL Server db:

The_connection_cannot_be_used_to_perform_this_operation._It_is_either_closed_or_invalid_in_this_context.

If you get such error above, please refer to the important notes below :

1. If your web server is limited to only supporting TLS 1.2, then you MUST make sure your database server to enable TLS 1.2 as well.

2. You must make sure the correct patches are applied to have SQL SERVER DB working properly with TLS 1.2, please refer to:
https://support.microsoft.com/en-us/help/3052404/fix-you-cannot-use-the-transport-layer-security-protocol-version-1-2-t

3. You must make sure your web server is patched with latest SQL SERVER ODBC driver (must be at least ODBC driver 11 and later), and make sure the correct 32bit or 64 bit applied.

4. You must download our "SQL Server Other Drivers Compatitable Patch" into your site.
For v8, you can download this SQL Server Other Drivers Compatitable Patch 8.00 at :
https://www.vpcart.com/sales/addons800.asp

For v7, you can download this SQL Server Other Drivers Compatitable Patch 7.00 at :
https://www.vpcart.com/sales/addons700.asp

5. Please unzip the above module, and follow the readme file ($readme_sqlotherdrivers800/700.txt) for installation into your VPCart site.

NOTE : For step 4 and 5, please only do with the following condition :
- Your VPCart site is using SQL Server db
- Your VPCart site and SQL Server db are not in same server (you may ask your web host about this).
- Your VPCart site and SQL Server db are disabled for TLS 1.0 and 1.1 (you may ask your web host about this).

As a quick and easier solution, you may consider moving to our VPCart hosting which already TLS 1.2 compatible and our server will not have such issue with TLS incompatibility.

If you have any questions with this, please submit a helpdesk ticket to us at :
https://helpdesk.vpcart.com


Times Viewed:
55731
Added By:
Debbie / Wilson Keneshiro
Date Created:
5/6/2016
Last Updated:
1/23/2019