Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Google Chrome o      SSLVersionMin no longer supported? Why? how to enforce TLS 1.1 and up only.

Posted on 2016-09-16
2
Medium Priority
?
85 Views
Last Modified: 2016-10-05
Hey,

Wandering why these two features were removed from chrome deployments.
I am trying to set the minimum level of TLS to v1.1 due to security reasons.

We have tried several methods but none of them work.
- using policy adm adml file from the download package. https://support.google.com/chrome/a/answer/187202#windows with https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip using
SSLVersionMin and SSLVersionFallbackMin.

- using –ssl-version-min=tls1.1 - i am assuming that this setting does what above does.

- we ultimatelly tried forcing OS setting via registry, but chrome still used TLS 1.0 once run against https://www.ssllabs.com/ssltest/viewMyClient.html
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

Any other ways?

Thanks
Chris
0
Comment
Question by:r4kieta
  • 2
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points (awarded by participants)
ID: 41802507
Try iiscrypto tool to set toyour desired crypto. This set the OS level.

http://www.tecklyfe.com/configure-iis-ssltls-protocol-cipher-best-practices/

For Chrome, the level is done via setting the command-line options:
--ssl-version-max
Specifies the maximum SSL/TLS version ("ssl3", "tls1", "tls1.1", or "tls1.2").
--ssl-version-min       
Specifies the minimum SSL/TLS version ("ssl3", "tls1", "tls1.1", or "tls1.2").

Ad explained in https://productforums.google.com/forum/m/#!topic/chrome/mE-KUuYBkSU

You may test the TLS compatibility of unsupported web browsers by visiting https://www.howsmyssl.com.

Also have your IE set to enable TLS 1.1 and 1.2 though it ahould matter but may affect and good to see if this setting is correct with the online test with ssl lab test:
1. Starting in Internet Explorer 10, click Tools > Internet Options.
The Tools menu can sometimes be seen as a gear icon.
2. Click the Advanced tab.
3. In the Security area, select Use TLS 1.1 and Use TLS 1.2.
4. Click OK to save your changes.

Reboot machine.
0
 
LVL 65

Expert Comment

by:btan
ID: 41829543
As per advised.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
Suggested Courses
Course of the Month6 days, 11 hours left to enroll

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question