Link to home
Start Free TrialLog in
Avatar of credog
credog

asked on

Unable to disable TLS 1.0

I have tried several things to disable TLS 1.0 on a Windows 7 system.  All the documentation states to add registry keys and reboot.  No matter what  try TLS 1.0 is still reported to be enabled on both the client and the server side of the system.  Here are the registry keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

Open in new window

Testing with nmap and openssl both show that TLS 1.0 is still enabled for 3389 (server).  
openssl s_client -connect 192.168.1.1:3389  -tls1
....
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA

Open in new window

nmap --script ssl-enum-ciphers -p 3389 192.168.1.1
PORT     STATE SERVICE
3389/tcp open  ms-wbt-server
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
.....

Open in new window

Going to https://www.ssllabs.com/ssltest/viewMyClient.html shows TLS 1.0 is still enabled on the client side:
 
Protocols
TLS 1.3	Yes
TLS 1.2	Yes
TLS 1.1	Yes
TLS 1.0	Yes
SSL 3	No
SSL 2	No

Open in new window

Avatar of arnold
arnold
Flag of United States of America image

Open your browser, and change the advanced settings under security disabling  tls 1.0 for the client.


Environment, AD, ciphers, options might be enable through GPO.

Run rsop, gpmc, group policy wizard...

...
ASKER CERTIFIED SOLUTION
Avatar of Adam Leinss
Adam Leinss
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Might try running IIS Crypto on the server, if you haven't already, and compare your registry results to confirm.

https://www.nartac.com/Products/IISCrypto

I also like using SSLScan

https://code.google.com/archive/p/sslscan-win/