We help IT Professionals succeed at work.

TLS 1.0 & Windows 7 - How to disable?

8,491 Views
Last Modified: 2017-04-07
I have a vendor which operates a web service that we subscribe to. They have told us they will begin to refuse connections which are established using TLS 1.0 protocols for encryption. I agree with this and I was fairly certain we had taken all of the necessary steps to disallow TLS 1.0 nearly 2 years ago. This vendor is doing it a little differently in that they are going to keep TLS 1.0 enabled on their server and reject and lock out any connections which attempt to connect using it. This part, I do not agree with but who am I.

This vendor has done a packet capture on their side and I have also done one on the client side and both clearly indicate a TLS 1.0 handshake and establishment of an encrypted connection. This is the heart of the problem.

My question is simple, or so I thought... How do I go about disabling TLS 1.0 on a Windows 7 client such that it will no longer respond to TLS 1.0 offerings from a server which still has TLS 1.0 enabled. The client application I use is basically an embedded Internet Explorer client and as such can use any setting which effects Internet Explorer.

I am not perplexed for long on most issues but I must admit that this one has me totally stumped.

Thanks in advance for your insight...
Comment
Watch Question

Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
This has already been done. This does not affect the connection as I would have thought.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
John - I will give this a go but the issue is affecting many systems both new and well used so I do not think there is going to be any fruit here but I have not tried this and I am willing to try nearly anything at this point.

Masnrock - The client software is custom and it uses an embedded browser (IE) to do its handy work. I will read these articles in a bit.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
SFC found no issues on this system...
"Windows Resource Protection did not find any integrity violations."

The rest of it will have to wait for a bit later so I can reboot.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
David - Thanks for this response but this is for the server side or host. I am not in control of the host side and am trying to eliminate the option from the client side.

Author

Commented:
I have learned some new information over the weekend. It seems that in a .NET application, you can force the use of a particular variation of TLS within the application itself. We are talking with the software application developer now to turn off TLS 1.0 or at least make the minimum response be TLS 1.1

This is the article which led me down this path to contact the vendor:
https://www.johnlouros.com/blog/enabling-strong-cryptography-for-all-dot-net-applications

Actually a very good article if you are a .NET developer and require the use of cryto...

Author

Commented:
masnrock - I had actually tried the regedit hacks from this MS article and this also led me to the vendor:
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows

The problem I had when I disabled TLS 1.0 using this method showed me that the application was not allowing any other cipher to perform the encrypted connection because the application would fail out with a message indicating that it could not create an SSL/TLS secure channel even though I still had TLS 1.1 & 1.2 active. The application was short sighted and was requiring only TLS 1.0

Anyway, this is now a priority bug for the vendor to acknowledge and resolve.

Author

Commented:
John - Yes there is a server but I have no control over it. The server operator is doing things a bit oddly and they have TLS 1.0 enabled so they can catch clients who have not systematically disabled the cipher and block them from performing any type of communications. While the quick solution is for them to turn off TLS 1.0, it seems they are trying to go beyond their own responsibility as good netizens and they appear to be trying to force others to be as well. They will not admit to this but this is what they skirt around in conversation. While I somewhat applaud their efforts, I do not agree this is a good tactic. They have their clients over a barrel because there is no alternative for what they do for us as far as the service they provide. Catch-22
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
The final answer was that the .NET code of the client application was invoking the TLS connection and was hard-coded into the application. The vendor is correcting this for us at this time. I am going to share points with all that tried to assist as all answers were valid and good attempts, alas, no one would have gotten this one right in the end.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thanks for the update

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.