none
upgrade winhttp.dll version to support TLS 1.1 and TLS 1.2 windows 2008 r2 and windows 7

    Question

    • winhttp.dll windows 2008 r2 and windows 7
    on Windows 7 and windows 2008 R2 server I have winHTTP.dll version 6.1.7601.17514
    on windows 2012 server I have winHTTP.dll version 6.2.9200.16451

    winHTTP.dll version 6.1.7601.17514 is not working with TLS1.1 and TLS 1.2
    winHTTP.dll version 6.2.9200.16451 is working ok

    Here is a sample of my test code:

    set obj = CreateObject("WinHttp.WinHttpRequest.5.1")
    obj.Open "POST", "https://www.paymnt.com/"
    obj.SetTimeouts 30000, 60000, 60000, 60000
    obj.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
    obj.Option(6) = false
    obj.Option(9) = 512 'TLS 1.1   - error
    'obj.Option(9) = 2048 'TLS 1.2 - error


    how can we upgrade the winhttp version on windows 2008 R2 server or in windows 7 to work with TLS 1.1 and TLS 1.2 ??

    here is a pic with winHTTP.dll version 6.1.7601.17514 


    Friday, November 20, 2015 10:35 PM

All replies

  • I found a solution with a simple registry fix.

    1) Register TSL 1.2 Protocol:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "Enabled"=dword:ffffffff
    "DisabledByDefault"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    "Enabled"=dword:ffffffff
    "DisabledByDefault"=dword:00000000
    


    2) Configure TLS 1.2 to be default in 32 bit applications:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    "DefaultSecureProtocols"=dword:00000800


    3) Configure TLS 1.2 to be default in 64 bit applications:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
    "DefaultSecureProtocols"=dword:00000800


    4) Restart server (important for step 1)


    If you need support of TLS 1.1 only then:
    - On step 1) above simply change "TLS 1.2" to "TLS 1.1" and apply new registry fix
    - On steps 2) and 3) above change value "00000800" to "00000200" and apply new registry fix

    If you need support of both TLS 1.1 and 1.2 then
    - Repeat step 1) from above two times two register both protocols
    - On steps 2) and 3) use value "00000A00" (what is combination of "00000800" + "00000200")

    Code for verification:

    <%
    Set objHttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
    objHttp.open "GET", "https://howsmyssl.com/a/check", False
    objHttp.Send
    Response.Write objHttp.responseText
    Set objHttp = Nothing
    %>
    At the end of response you should see version of TLS used by request
    "tls_version":"TLS 1.2"

    Friday, August 26, 2016 3:51 PM