uniquare
asked on
Windows 7 - SSTP over TLS 1.1/TLS 1.2
Hi all,
is it possible that a VPN/SSTP connection in Windows 7 is not TLS 1.1 or TLS 1.2 capable?
I deactvated the TLS 1.0 Protocol on my NPS Server (Windows Server 2012 R2 Standard), then I tried a VPN/SSTP connection to this server. During this I took a look at WireShark (on the client) and it stated that the client (Windows 7) wants to use the TLS 1.0 Protocol.
Afterwards I tried to force the TLS 1.1 and TLS 1.2 Protocol through the registry settings (SecurityProviders/SCHANNE L/Protocol s)
on the Client Operating System, furthermore I deactivated the TLS 1.0 Protocol.
But it is not possible to established a VPN/SSTP connection with my Server. I have tested this whole scenario with Windows 8 Client and all things are running fine.
Best regards
Frank
is it possible that a VPN/SSTP connection in Windows 7 is not TLS 1.1 or TLS 1.2 capable?
I deactvated the TLS 1.0 Protocol on my NPS Server (Windows Server 2012 R2 Standard), then I tried a VPN/SSTP connection to this server. During this I took a look at WireShark (on the client) and it stated that the client (Windows 7) wants to use the TLS 1.0 Protocol.
Afterwards I tried to force the TLS 1.1 and TLS 1.2 Protocol through the registry settings (SecurityProviders/SCHANNE
on the Client Operating System, furthermore I deactivated the TLS 1.0 Protocol.
But it is not possible to established a VPN/SSTP connection with my Server. I have tested this whole scenario with Windows 8 Client and all things are running fine.
Best regards
Frank
ASKER
Hi Dorsey,
i have already done that (checked this more as twice). I also checked this settings with IISCrypto all looks fine.
I look over your blog and you activate in your script TLS 1.0 but i want deactivate it.
Anyway how i mention before the connection with Windows 8 works fine with the server settings.
i have already done that (checked this more as twice). I also checked this settings with IISCrypto all looks fine.
I look over your blog and you activate in your script TLS 1.0 but i want deactivate it.
Anyway how i mention before the connection with Windows 8 works fine with the server settings.
Did you re-arrange the cipher suites?
I have a client using Windows 7 clients to connect to server VPN with TLS1.0 disabled. I don't know the details of their configuration though as I did not set it up.
I have a client using Windows 7 clients to connect to server VPN with TLS1.0 disabled. I don't know the details of their configuration though as I did not set it up.
ASKER
Yes, i re-arranged the cipher suites but there should be a windows 7 compatible cipher suite.
My Cipher Suite Order:
TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4_P521,TLS _ECDHE_RSA _WITH_AES_ 256_CBC_SH A384_P384, TLS_ECDHE_ RSA_WITH_A ES_256_CBC _SHA384_P2 56,TLS_ECD HE_RSA_WIT H_AES_256_ CBC_SHA_P5 21,TLS_ECD HE_RSA_WIT H_AES_256_ CBC_SHA_P3 84,TLS_ECD HE_RSA_WIT H_AES_256_ CBC_SHA_P2 56,TLS_ECD HE_RSA_WIT H_AES_128_ CBC_SHA256 _P521,TLS_ ECDHE_RSA_ WITH_AES_1 28_CBC_SHA _P521,TLS_ ECDHE_RSA_ WITH_AES_1 28_CBC_SHA 256_P384,T LS_ECDHE_R SA_WITH_AE S_128_CBC_ SHA256_P25 6,TLS_ECDH E_RSA_WITH _AES_128_C BC_SHA_P38 4,TLS_ECDH E_RSA_WITH _AES_128_C BC_SHA_P25 6,TLS_ECDH E_ECDSA_WI TH_AES_256 _GCM_SHA38 4_P521,TLS _ECDHE_ECD SA_WITH_AE S_256_GCM_ SHA384_P38 4,TLS_ECDH E_ECDSA_WI TH_AES_128 _GCM_SHA25 6_P521,TLS _ECDHE_ECD SA_WITH_AE S_128_GCM_ SHA256_P38 4,TLS_ECDH E_ECDSA_WI TH_AES_128 _GCM_SHA25 6_P256,TLS _ECDHE_ECD SA_WITH_AE S_256_CBC_ SHA384_P52 1,TLS_ECDH E_ECDSA_WI TH_AES_256 _CBC_SHA38 4_P384,TLS _ECDHE_ECD SA_WITH_AE S_256_CBC_ SHA_P521,T LS_ECDHE_E CDSA_WITH_ AES_256_CB C_SHA_P384 ,TLS_ECDHE _ECDSA_WIT H_AES_256_ CBC_SHA_P2 56,TLS_ECD HE_ECDSA_W ITH_AES_12 8_CBC_SHA2 56_P521,TL S_ECDHE_EC DSA_WITH_A ES_128_CBC _SHA256
My Cipher Suite Order:
TLS_ECDHE_RSA_WITH_AES_256
ASKER
@Schuyler Dorsey: Did you deactivate TLS 1.0 on the client or on the server? Did you activate FIBS on the client, too?
I don't think the server is the main problem but i will post my SCHANNEL configuration from the server for future support.
I don't think the server is the main problem but i will post my SCHANNEL configuration from the server for future support.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
"SendExtraRecord"=dword:00000001
"ClientCacheTime"=dword:00f099c0
"AllowInsecureRenegoClients"=dword:00000000
"DisableRenegoOnServer"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
@=""
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
@=""
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
@=""
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
@=""
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
@=""
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
@=""
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
"AllowInsecureRenegoClients"=dword:00000000
"DisableRenegoOnServer"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
@=""
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
@=""
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i get the answer in an other forum and posted the soultion here.
1. Ensure the server side has the right protocols enabled and disabled
2. Ensure the client side matches.
So for both, follow my steps on my blog which detail how to secure SSL on Windows systems.
https://rootisthelimit.com/securing-ssl-configuration-in-iis/