?
Solved

Google Chrome o      SSLVersionMin no longer supported? Why? how to enforce TLS 1.1 and up only.

Posted on 2016-09-16
2
Medium Priority
?
149 Views
Last Modified: 2016-10-05
Hey,

Wandering why these two features were removed from chrome deployments.
I am trying to set the minimum level of TLS to v1.1 due to security reasons.

We have tried several methods but none of them work.
- using policy adm adml file from the download package. https://support.google.com/chrome/a/answer/187202#windows with https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip using
SSLVersionMin and SSLVersionFallbackMin.

- using –ssl-version-min=tls1.1 - i am assuming that this setting does what above does.

- we ultimatelly tried forcing OS setting via registry, but chrome still used TLS 1.0 once run against https://www.ssllabs.com/ssltest/viewMyClient.html
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

Any other ways?

Thanks
Chris
0
Comment
Question by:r4kieta
  • 2
2 Comments
 
LVL 66

Accepted Solution

by:
btan earned 2000 total points (awarded by participants)
ID: 41802507
Try iiscrypto tool to set toyour desired crypto. This set the OS level.

http://www.tecklyfe.com/configure-iis-ssltls-protocol-cipher-best-practices/

For Chrome, the level is done via setting the command-line options:
--ssl-version-max
Specifies the maximum SSL/TLS version ("ssl3", "tls1", "tls1.1", or "tls1.2").
--ssl-version-min       
Specifies the minimum SSL/TLS version ("ssl3", "tls1", "tls1.1", or "tls1.2").

Ad explained in https://productforums.google.com/forum/m/#!topic/chrome/mE-KUuYBkSU

You may test the TLS compatibility of unsupported web browsers by visiting https://www.howsmyssl.com.

Also have your IE set to enable TLS 1.1 and 1.2 though it ahould matter but may affect and good to see if this setting is correct with the online test with ssl lab test:
1. Starting in Internet Explorer 10, click Tools > Internet Options.
The Tools menu can sometimes be seen as a gear icon.
2. Click the Advanced tab.
3. In the Security area, select Use TLS 1.1 and Use TLS 1.2.
4. Click OK to save your changes.

Reboot machine.
0
 
LVL 66

Expert Comment

by:btan
ID: 41829543
As per advised.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

AngularJS web development a very simple procedure. So, to put it, in short, AngularJS’ stand out features are – Two-way data binding, MVC structure, directives, templates, dependency injections and testing.
Although a new technology, ReactJs offers multiple benefits to the website owners when it comes to creating interactive websites. Know what aspects make React Js one of the most popular frameworks for building websites.
This Micro Tutorial will demonstrate how to updated your Facebook updates after changing anything in the title or description of a shared article.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question