Enable TLS 1.1 and TLS 1.2 as default secure protocol in WinHTTP

I recently ran into an issue where a legacy VB application was trying to connect outbound with TLS 1.0. The application was moved from a Windows 2003 server to Windows server 2012 which by default uses TLS 1.2 as its highest protocol. Windows KB3140245 has more information regarding this.

It looks like some legacy applications rely on the the WinHTTP library in Windows to establish secure connections and it appears the default config on Server 2012 is to use TLS 1.0. Registry changes need to be made to enable the higher protocols.

1. Enable TLS 1.2 for WinHTTP

The below screenshot will enable TLS 1.1 and TLS 1.2 for WinHTTP.
This key needs to be present in both 32-bit and 64-bit reg key locations
Available options are:
TLS 1.1: 0x00000200
TLS 1.2: 0x00000800
TLS 1.2+1.1: 0x00000A00

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

2. Enable the TLS 1.2 protocol on server level

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\
Set DisabledByDefault to 0
Set Enabled to 1

This entry was posted in Microsoft. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *