WinHTTP Cipher restrictions to TLSv1.2 does not work on Windows7, Server 2008 R2 and Server 2012…
Posted by jpluimers on 2017/12/18
This will bite me some time for sure, so for my link archive: [WayBack] TRestClient and Cipher restrictions to TLSv1.2 does not work on Windows7 and Server2008R2 … and how it can be solved… – Günther Schoch – Google+
References:
- [WayBack] Support for SSL/TLS protocols on Windows – Unleashed
- [no WayBack or Acrhive.is] Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows: Describes an update that adds TLS 1.1 and TLS 1.2 to default security protocols in Windows Server 2012, Windows 7 SP1, and Windows Server 2008 R2 SP1.
For at least some Windows 7 and Server 2008 R2 systems, that update (KB3140245) doesn’t automatically turns up in the Windows Update list.
To make matters worse, the page cannot be archived in either the WayBack machine or Archive.is (I tried multiple times with empty results).
Luckily, there is a copy at [WayBack] KB3140245 DefaultSecureProtocols – Security.NL.
After installing the update, you have to ensure you set the DefaultSecureProtocols registry value to the bitmap value that indicates with SSL/TLS versions you want to support:
The DefaultSecureProtocols registry entry can be added in the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttpOn x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttpThe registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired.
DefaultSecureProtocols Value Protocol enabled 0x00000008 Enable SSL 2.0 by default 0x00000020 Enable SSL 3.0 by default 0x00000080 Enable TLS 1.0 by default 0x00000200 Enable TLS 1.1 by default 0x00000800 Enable TLS 1.2 by default For example:
The administrator wants to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.
Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800) then add them together in calculator (in programmer mode), the resulting registry value would be 0x00000A00.
–jeroen
The Wiert Corner - irregular stream of stuff 
KMorwath said
Just a warning: don’t change system-wide settings on a customer machine changing values automatically, especially without warning the user – you can break other applications. While disabling TLS 1.0 and SSL 3.0 is a good thing, it could really break other applications that for some reasons still need them. Sure, they may be not enough safe, but they still could be critical for the user.
So, enable newer TLS settings, but leave other protocols as they are on the target machine. At least read the current key, and OR it with 0x00000A00 – don’t set it to 0x00000A00.
Of course if the machine is wholly under your control, it’s up to you.
jpluimers said
Thanks. That’s indeed a very wise advice.