We help IT Professionals succeed at work.

WinHTTPRequest and TLS v1.2

Is it possible to make the WinHTTPRequest object to use TLS v1.2 on a Windows 2008R2 server?

I tried to use this site: "https://howsmyssl.com/a/check" to check the connection security properties,
and it reports that the TLS is 1.0
but if I use the object Msxml2.XMLHTTP instead of WinHTTP.WinHTTPRequest,
then the server reports that "tls_version" is "TLS 1.2"

    set http_req = CreateObject("WinHTTP.WinHTTPRequest.5.1")
    http_req.open "GET", "https://howsmyssl.com/a/check", false
    http_req.send 
    MsgBox  http_req.responseText

Open in new window

the response:
{"given_cipher_suites":["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"],
"ephemeral_keys_supported":true,"session_ticket_supported":false,"tls_compression_supported":false,
"unknown_cipher_suite_supported":false,"beast_vuln":false
,"able_to_detect_n_minus_one_splitting":true,"insecure_cipher_suites":{},
"tls_version":"TLS 1.0","rating":"Bad"}

Open in new window


If that is impossible, then I'd like to know how actually bad to use "Msxml2.XMLHTTP" to make connections from a web server process?
Comment
Watch Question

Distinguished Expert 2019
Commented:
Did you make sure that TLS 1.1 and 1.2 are enabled on the server? BTW - You might want to disable 3DES also.

One of the key things you need one the server is KB3140425 if you don't already have it. Here is a MS article that will walk you through everything: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Author

Commented:
I've set the recommended value to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp and now WinHTTP uses TLS1.2 !
Thank you a lot!

Actually I had the value previously set in this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
But I was actually running a 32 bit script, so the value has had no effect.

Thank you again!