How to enable TLS 1.1, 1.2 in IIS 7.5
We want to support web browsers utilizing TLS 1.1 and 1.2, which has been apparently implemented by Microsoft, but is turned off by default.
So I went searching on Google and discovered some pages everyone seems to be following:
http://support.microsoft.com/kb/245030
https://www.derekseaman.com/2010/06/enable-tls-12-aes-256-and-sha-256-in.html
However! It doesn't appear to be working for me. I have set both DWORD vaules for DisabledByDefault and Enabled for TLS 1.1 and 1.2. I can confirm my client is attempting to communicate with TLS 1.2, but the server only responds with 1.0. I've restarted IIS, but it didn't change the situation.
Microsoft points out: "WARNING: The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure that contains the data for an Schannel credential."
Well, that's very vague to me. I can't find anywhere where SCHANNEL_CRED is defined or set, all I can determine that it's a structure defined in a Microsoft library. That's my only guess for why this isn't work, yet I can't find enough information on it to determine if it is the true problem.
Reboot. Changes to Schannel settings do not take effect until the system is rebooted.
The easiest way to make changes in Microsoft SChannel protocols and ciphers (including cipher ordering) is to use IIS Crypto which is a completely free tool that can be downloaded without any kind of annoying registration requirements.
The tool manipulates the registry keys under the covers however it does so in a controlled, proven and safe way. We use it regularly.
It is also worth noting that it can help in automation scenarios as it has a command line version in addition to a GUI version.
There is also a blog that discusses some of the changes and why they have been made. The tool tends to be kept up to date when SSL issues arise.