The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,364 other followers

WinHTTP Cipher restrictions to TLSv1.2 does not work on Windows7, Server 2008 R2 and Server 2012…

Posted by jpluimers on 2017/12/18

This will bite me some time for sure, so for my link archive: [WayBack] TRestClient and Cipher restrictions to TLSv1.2 does not work on Windows7 and Server2008R2 … and how it can be solved… – Günther Schoch – Google+


For at least some Windows 7 and Server 2008 R2 systems, that update (KB3140245) doesn’t automatically turns up in the Windows Update list.

To make matters worse, the page cannot be archived in either the WayBack machine or (I tried multiple times with empty results).

Luckily, there is a copy at [WayBack] KB3140245 DefaultSecureProtocols – Security.NL.

After installing the update, you have to ensure you set the DefaultSecureProtocols registry value to the bitmap value that indicates with SSL/TLS versions you want to support:

The DefaultSecureProtocols registry entry can be added in the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

The registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired.

DefaultSecureProtocols Value Protocol enabled
0x00000008 Enable SSL 2.0 by default
0x00000020 Enable SSL 3.0 by default
0x00000080 Enable TLS 1.0 by default
0x00000200 Enable TLS 1.1 by default
0x00000800 Enable TLS 1.2 by default

For example:

The administrator wants to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.

Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800) then add them together in calculator (in programmer mode), the resulting registry value would be 0x00000A00.


2 Responses to “WinHTTP Cipher restrictions to TLSv1.2 does not work on Windows7, Server 2008 R2 and Server 2012…”

  1. KMorwath said

    Just a warning: don’t change system-wide settings on a customer machine changing values automatically, especially without warning the user – you can break other applications. While disabling TLS 1.0 and SSL 3.0 is a good thing, it could really break other applications that for some reasons still need them. Sure, they may be not enough safe, but they still could be critical for the user.

    So, enable newer TLS settings, but leave other protocols as they are on the target machine. At least read the current key, and OR it with 0x00000A00 – don’t set it to 0x00000A00.

    Of course if the machine is wholly under your control, it’s up to you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: