locked
TLS v1.1, 1.2, on Windows Server 2008 R2 not working RRS feed

  • Question

  • it appears that TLS v1.1 and 1.2 are not working on *any* of our 2008/2008 R2 IIS Web Servers. We have both Enabled DWORD values on TLSv1.1 and 1.2 with a value of 1. when attempting to force a TLSv1.1 or 1.2 connection it does not return the expected cipher, session-ID, and master-key values as expected when either doing TLS1, or the same requested connection to all of our 2012/2012 R2 servers.

    TLSv1.0 result of openssel s_client -connect host:443 -tls1
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : ECDHE-RSA-AES256-SHA
        Session-ID: 724700003630CFF247FCDE363CA1EE3AB93C827522999E6EB513C294BDF9CB9B
        Session-ID-ctx:
        Master-Key: EC64EFD4E8F1D33141719EFE89C8CCA02F20725708CA7156B3B0F024BF9107CBD0691920F8AD3DB6575AFCE51B55480B
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1461242201
        Timeout   : 7200 (sec)

    results of -tls1_2
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1461243212
        Timeout   : 7200 (sec)

    result from one of our 2012 R2 servers running the same registry values for protocols as the 2008 R2 server for -TLSv1.2
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-SHA384
        Session-ID: CA17000077602B6211B8FD831FD874D7A888F542C7BCFB01D840BEDC60A2E8EC
        Session-ID-ctx:
        Master-Key: F1815E8D17F410D8D9DF037AFA2816ED0CAFE51AF6A2EECC1BC375D6459C220788190575AD365303F03BA1BF77176020
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1461243283
        Timeout   : 7200 (sec)

    I have also ran the site(s) through Qualys's SSL Labs site and it too returns a 'No' response for TLSv1.1 and 1.2

    I have ran IISCrypto and it shows all necessary protocols and associated ciphers needed in order to support TLSv1.2, but it is not working from everything I can tell. tried to upload image of screenshot from IISCrypto, but tells me I cannot until Microsoft can verify my account.

    any assistance on a resolution for making TLSv1.1 and 1.2 as available protocols would be greatly appreciated!

    Thursday, April 21, 2016 1:00 PM

All replies

  • delete
    • Marked as answer by caveneyp Friday, April 22, 2016 2:05 PM
    • Edited by caveneyp Friday, April 22, 2016 2:37 PM
    • Unmarked as answer by caveneyp Friday, April 22, 2016 2:37 PM
    Friday, April 22, 2016 2:05 PM