Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows

By | 09/03/2018

With PCI compliance scans, one are often told to move TLS version to 1.2, but many clients cannot connect through a proxy to ex. Exchange.

Let’s say Windows 7 with Outlook 2010.

What you get when you enforce TLS 1.2, is that Outlook can no longer connect (Outlook Anywhere), it because the OS does not support higher that TLS 1.0 by default.

One of the errors could be:

You can fix this, by installing KB3140245 from Microsoft and apply the Quickfix on the following page, which will add the regkeys for you.

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

If Microsoft should remove the quickfix, the current version, as of writing of this article is available here:

MicrosoftEasyFix51044

Microsoft info:

Payment Card Industry (PCI) requires TLS 1.1 or TLS 1.2 for compliance.

For more information about the WINHTTP_OPTION_SECURE_PROTOCOLS flag, see Option Flags.

How the DefaultSecureProtocols registry entry works

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see: How to back up and restore the registry in Windows.

When an application specifies WINHTTP_OPTION_SECURE_PROTOCOLS, the system will check for the DefaultSecureProtocols registry entry and if present override the default protocols specified by WINHTTP_OPTION_SECURE_PROTOCOLS with the protocols specified in the registry entry. If the registry entry is not present, WinHTTP will use the existing operating system defaults for Win WINHTTP_OPTION_SECURE_PROTOCOLS HTTP. These WinHTTP defaults follow the existing precedence rules and are overruled by SCHANNEL disabled protocols and protocols set per application by WinHttpSetOption.

Note The hotfix installer doesn’t add the DefaultSecureProtocols value. The administrator must manually add the entry after determining the override protocols. Or, you can install the “Easy fix” to add the entry automatically.

The DefaultSecureProtocols registry entry can be added in the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

The registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired.

DefaultSecureProtocols Value Protocol enabled
0x00000008 Enable SSL 2.0 by default
0x00000020 Enable SSL 3.0 by default
0x00000080 Enable TLS 1.0 by default
0x00000200 Enable TLS 1.1 by default
0x00000800 Enable TLS 1.2 by default

For example:

The administrator wants to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.

Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800) then add them together in calculator (in programmer mode), the resulting registry value would be 0x00000A00.

 

Leave a Reply

Your email address will not be published. Required fields are marked *