TLS 1.0 still being used in IIS after it's been disabled
Solution 1
You can verify if server will serve TLS 1.0 if requested with the following openssl command.
openssl s_client -tls1 -brief -connect example.com:443
If connection has succeed you will see something like:
CONNECTION ESTABLISHED
Protocol version: TLSv1
Ciphersuite: DHE-RSA-AES256-SHA
Peer certificate: CN = example.com
Server Temp Key: DH, 8192 bits
If connection has failed you will see:
write:errno=104
You can test support for other protocols by issuing:
TLS v1.1: openssl s_client -tls1_1 -brief -connect example.com:443
TLS v1.2: openssl s_client -tls1_2 -brief -connect example.com:443
SSL v3: openssl s_client -ssl3 -brief -connect example.com:443
Solution 2
The problem was that SSL was actually being handled by a load balancer and not on the server so it had to be disabled on the load balancer.
Solution 3
I know this is old, but this may help someone else. If FIPS is enabled it will override the TLS 1.0 settings and enable TLS 1.0. It has to be disabled to disable TLS 1.0. Hope this helps someone.
Related videos on Youtube
Dwayne Driskill
I'm an asp.net, JavaScript, iOS, SQL and PHP developer in the Ann Arbor, MI area.
Updated on September 18, 2022Comments
-
Dwayne Driskill over 1 year
I've configured IIS on Windows Server 2008 R2 to not allow TLS 1.0. I've done this by setting these reg keys and rebooting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\DisabledByDefault set to 1 (as a DWORD) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled set to 0 (as a DWORD) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\DisabledByDefault set to 1 (as a DWORD) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\Enabled set to 0 (as a DWORD)
On the client side, I'm using FireFox 48.0 and IE 9 to test. (I can't use later versions of IE because the network admins have the settings locked down). This is how I'm configuring IE to force TLS 1.0:
This is how I'm configuring FireFox to force TLS 1.0:
I'm using WireShark to confirm the protocol being used. This is what it looks like when I force TLS 1.0 in the browser:
I've also used the OpenSSL command suggested below to confirm that TLS 1.0 is still being used:
openssl s_client -tls1 -connect mysite.com:443
If I force TLS 1.1 in the browser, this is what WireShark look like:
The problem is that the server is configured to not allow TLS 1.0, but when I configure my browser to only use TLS 1.0, then TLS 1.0 is being used. If I configure IE to not allow any version of TLS, then it returns an error "
Internet Explorer cannot display the web page
" which is what I would expect. My goal is to prevent the server from using TLS 1.0 even if the client only supports TLS 1.0 because TLS 1.0 has security vulnerabilities. How can I get IIS to stop using TLS 1.0? -
Brien Malone almost 3 yearsIt's amazing how far upstream you might have to go. In our case, our web sever was correctly configured as was our firewall, but it was our cloudflare proxy that was holding the door open for TLS 1.0 and TLS 1.1