credog
asked on
Unable to disable TLS 1.0
I have tried several things to disable TLS 1.0 on a Windows 7 system. All the documentation states to add registry keys and reboot. No matter what try TLS 1.0 is still reported to be enabled on both the client and the server side of the system. Here are the registry keys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
Testing with nmap and openssl both show that TLS 1.0 is still enabled for 3389 (server). openssl s_client -connect 192.168.1.1:3389 -tls1
....
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
nmap --script ssl-enum-ciphers -p 3389 192.168.1.1
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
.....
Going to https://www.ssllabs.com/ssltest/viewMyClient.html shows TLS 1.0 is still enabled on the client side:Protocols
TLS 1.3 Yes
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Might try running IIS Crypto on the server, if you haven't already, and compare your registry results to confirm.
https://www.nartac.com/Products/IISCrypto
I also like using SSLScan
https://code.google.com/archive/p/sslscan-win/
https://www.nartac.com/Products/IISCrypto
I also like using SSLScan
https://code.google.com/archive/p/sslscan-win/
Environment, AD, ciphers, options might be enable through GPO.
Run rsop, gpmc, group policy wizard...
...