https protocol does not work on IIS 10 after upgrading from Windows 7

Solution 1:

I got the answer by myself. The problem was that over the years the ciphers has changed but only for Windows 2012 and 2016 servers has been proper updates, but not for older versions and Windows 10 already had those entries and updated accordingly. Consequently, there are some registry entries that does not exists that affect the way SSL is treated in IIS after the upgrade. To test if this is the case open a new tab in Firefox and type about:config and search security.tls.version.max and set it to 3 and save. If you try to go to the website it works or at least shows the usual warning that the certificate is not correct. If so then undo the change in Firefox and do the solution depicted here; which anyway I am going to describe just in case those pages be forgotten or deleted.

The whole problem is fixed updating the registry in the following entries that should be created or changed depending if you already had done part of the changes to strength security in your web server before.

Update WinHTTP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\
  DefaultSecureProtocols = (DWORD): 0xAA0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\
  DefaultSecureProtocols = (DWORD): 0xAA0

Enable TLS 1.2 if haven't done yet

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
  "SystemDefaultTlsVersions" = dword:00000001
  "SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
  "SystemDefaultTlsVersions" = dword:00000001
  "SchUseStrongCrypto" = dword:00000001

If your application is a 32 bit on 64 bits OS one then also modify

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
  "SystemDefaultTlsVersions" = dword:00000001
  "SchUseStrongCrypto" = dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
  "SystemDefaultTlsVersions" = dword:00000001
  "SchUseStrongCrypto" = dword:00000001

Configure SCHANNEL protocols if you haven't done yet to enable TLS 1.2

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
  "DisabledByDefault" = dword:00000000
  "Enabled" = dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
  "DisabledByDefault" = dword:00000000
  "Enabled" = dword:0xffffffff

Be sure that TLS 1.1 be the same as TLS 1.2 if you want to support it for legacy applications/browsers. It is advisable to disable weak ciphers such as SSL and if you can TLS 1.0 (DisableByDefault = dword:00000001 Enabled=00000001 for client and server. Those entries are located into TLS 1.0 which is at the same level of TLS 1.1 and TLS 1.2) and restart the computer.

If all goes well you application are going to work again or at least the usual message of security risk due to the self-signed certificate. Hope this work for you and please up vote if it helps you to solve the issue and thanks in advance.

Note: You can set/clear the proper regedit values by using the scripts provided here: https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12