Table of Contents
As you might already know, TLS version 1.0 is not safe anymore and should be disabled, just like SSL 2.0 and SSL 3.0: if you want to know why you can either read this post, which summarizes pretty much you have to know, or recover some info regarding the three biggest attacks that managed to exploit the various TLS 1.0 vulnerabilities discovered within 2011 and 2014: BEAST, Heartbleed and POODLE.
Anyway, if you have a recent version of Windows - such as Windows 10 - you won't be affected by this issue, provided you always install the OS updates through the official channels. Conversely, if you're still using Windows 7 or Windows 8, you might have to perform some manual tasks in order to get rid of that outdated TLS version: on these systems, all applications created in WinHTTP (Windows HTTP Services) such as MS Outlook, MS Word, and the likes will use TLS 1.0 support, which is the default encryption standard for these OSes. As a result, if you attempt to establish a secure connection from your Outlook client to a "TLS secured" server, there is a high chance that MS Outlook will display one of the following error messages:
The server does not support the specified connection encryption type.
Your server does not support the connection encryption type you have specified.
Luckily enough, this can be fixed by telling your OS to never use TLS 1.0 anymore, and stick with TLS 1.1 and 1.2 by default. Here's a small guide explaining how you can do that.
Install the KB3140245 Security Patch
The first thing to do is to download and install the Windows KB3140245: you can do that using Windows Update, since it's available as an optional update, or manually download it from the following official website:
This will equip your OS with TLS versions 1.1 and 1.2.
Updating your Windows Registry file
The next step you need to do is to patch your Windows Registry file, so that your OS will actually use the new TLS protocol versions (1.2, and 1.1 as a fallback) instead of the outdated and vulnerable 1.0 one. This can be done either automatically (with an official Microsoft-released patch file) or by manually editing the registry file using regedit or our own TLS12fix.reg file.
Microsoft Patch File
The Microsoft patch file is called MicrosoftEasyFix51044.msi and can be downloaded from this url:
If you're doing this to face a common MS Outlook scenario, downloading and executing this file is all that you need to fix your issue.
Manual update
If you're an experienced user this probably is the recommended approach, since it allows you to choose which protocol to enable or not.
#1. Setting the default TLS protocols
The first thing you do is to create a new DWORD key called DefaultSecureProtocols in the following sections of your registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
The HEX value to set depends on which protocol(s) you would like to enable by default:
- To enable TLS 1.0, TLS 1.1 and TLS 1.2, set the value to 00000A80 (not recommended- that's what you want to avoid).
- To enable TLS 1.1 and TLS 1.2 only, thus disabling TLS 1.0, set the value to 00000A00. This is the recommended approach as of today (might change in the future if TLS 1.1 becomes outdated as well).
- To enable TLS 1.1 only, set the value to 00000200.
- To enable TLS 1.2 only, set the value to 00000800.
If you want to know more about these settings, take a look at this official Microsoft page, which explains everything and also adds some valuable info about the whole topic.
#2. Enable TLS 1.1 and 1.2 at the SChannel component level
The second thing to do, as explained in this TechNet article, is to create another DWORD key called DisabledByDefault in the following sections of your registry:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
And set a value of 0 (zero).
Registry Patch File(s)
If you don't want to manually edit your Windows Registry file using regedit, you can download use these registry patch files which we made, that will automatically set all the above registry keys with a single click.
- Download Registry Patch File to enable TLS 1.1 and TLS 1.2 (recommended as of 2019.10)
- Download Registry Patch File to enable TLS 1.1 only
- Download Registry Patch File to enable TLS 1.2 only
Conclusion
That's it, at least for now: I sincerely hope that this post will be useful for those system administrators, power users and enthusiasts who want (or need) to patch their system to get rid of TLS 1.0 and fix this security vulnerability for good.