Let’s first go over TLS and SSL versions.
Below is list going from Weakest to Strongest:
SSL 1.0 – never publicly released due to security issues.
SSL 2.0 – released 1995. Deprecated in 2011.
SSL 3.0 – released 1996. Deprecated in 2015.
TLS 1.0 – released 1999. Deprecated in 2020. Upgrade to SSL 3.0.
TLS 1.1 – released 2006. Deprecated in 2020.
TLS 1.2 – released 2008.
TLS 1.3 – released 2018.
I thinks it’s obvious but do not use any of the deprecated versions.
Payment Card Industry (PCI) requires TLS 1.1 or TLS 1.2 for compliance. I don’t agree with TLS1.1. BUT, TLS1.3 is the future so get ready for it.
Microsoft is not ready for TLS1.3 just yet. For example, on Server 2019, IIS does not support TLS 1.3 at this time. It will come so look out for it.
#SQL:
Read the link below:
https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server
#IIS:
Below is how you disable TLS/SSL versions for IIS. It shows disabling everything except for TLS 1.2.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
Values:
0 = OFF/DISABLE
1 = ON/ENABLE
DisabledByDefault set to 1 means by default you want it enabled. You’re turning ON DisabledByDefault.
Enabled set to 0 means you want it disabled. You’re turning OFF Enabled. Hence you are disabled that TLS version.
# .NET:
If you need to change the TLS version being used for .NET, read below.
These are the registry changes that need to be made based on your version:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001
SystemDefaultTlsVersions Values:
0 = Lets .NET choose the protocol
1 = Allows OS to choose the protocol
SchUseStrongCrypto Values:
0 = This value should not be used since it’s not secure and used for legacy systems. It’s the DEFAULT for <=4.5.2.
1 = tells your app to use strong cryptography (TLS1.0, TLS1.1, TLS1.2 – I laugh at this because TLS 1.0 and TLS1.1 are not secure but Microsoft has this on their site)