Support for SSL/TLS protocols on Windows

https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/

Support for SSL/TLS protocols on Windows

★★★★★

★★★★

★★★

★★

★

October 2, 2011 by Kaushal Kumar Panday // 100 Comments

• 0
• 0

***********Updated on 4th October 2017***********

NOTE: Support for TLS 1.1 and TLS 1.2 is now available in Windows Server 2008 SP2. Install the following update:

Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2

Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS) are protocols which use cryptographic algorithms to secure the communication between 2 entities. It is just a secure layer running on top of HTTP.

SSL Handshake Protocol	SSL Change Cipher Spec Protocol	SSL Alert Protocol	HTTP
SSL Record Protocol
TCP
IP

Overview of SSL Protocol Stack

Several versions of SSL have been released after its advent in 1995 (SSL 2.0 by Netscape communications, SSL 1.0 was never released). Here is the list:

• SSL 1.0, 2.0 and 3.0
• TLS 1.0 (or SSL 3.1, released in 1999)
• TLS 1.1 (or SSL 3.2, released in 2006)
• TLS 1.2 (or SSL 3.3, released in 2008)

SSL was changed to TLS when it was handed over to IETF for standardizing the security protocol layer in 1999. After making few changes to SSL 3.0, IETF released TLS 1.0. TLS 1.0 is being used by several web servers and browsers till date. What I have never understood, is there have been newer versions released after this, with the latest being TLS 1.2 released in 2008.

On Windows the support for SSL/TLS protocols is tied to the SCHANNEL component. So, if a specific OS version doesn’t support a SSL/TLS version, this means it remains unsupported.

All the windows components/applications abide by this rule and can support only those protocols which are supported at the OS level. For e.g.: IIS and Internet Explorer.

Below table should give you a good understanding of what protocols are supported on Windows OS.

Windows OS Version	SSL 2.0	SSL 3.0	TLS 1.0	TLS 1.1	TLS 1.2
Windows XP & Windows Server 2003	✓	✓	✓	X	X
Windows Vista & Windows Server 2008	✓	✓	✓	✓	✓
Windows 7 & Windows Server 2008 R2	✓	✓	✓	✓	✓
Windows 8 & Windows Server 2012	✓	✓	✓	✓	✓
Windows 8.1 & Windows Server 2012 R2	✓	✓	✓	✓	✓
Windows 10 & Windows Server 2016	✓	✓	✓	✓	✓

TLS 1.1 & TLS 1.2 are enabled by default on post Windows 8.1 releases. Prior to that they were disabled by default. So the administrators have to enable the settings manually via the registry. Refer this article on how to enable this protocols via registry: https://support.Microsoft.com/en-us/kb/187498

On the client side, you can check this in the browser settings. If you are using IE on any of the supported Windows OS listed above, then in IE, browse to Tools -> Internet Options -> Advanced. Under the Security section, you would see the list of SSL protocols supported by IE. IE supports only those security protocol versions, which is supported by the underlying SCHANNEL component of the OS.

TLS settings in IE on Windows 10

Chrome supports whatever IE supports. If you intend to check the support in Firefox, then enter the text “about:config” in the browser address bar and then enter TLS in the search bar as shown below.

TLS Settings on Firefox v47

The settings security.tls.version.max specifies the maximum supported protocol version and security.tls.version.min specifies the minimum supported protocol version . They can take any of the below 4 values:

• 0 – SSL 3.0
• 1 – TLS 1.0 (This is the current default for the minimum required version.)
• 2 – TLS 1.1
• 3 – TLS 1.2 (This is the current default for the maximum supported version.)

NOTE: The behavior is undefined if security.tls.version.min is larger than the security.tls.version.max value.