Server Fault Asked by user9099944 on November 16, 2021
After July 2020 Windows update, a IIS hosted website started using TLS 1.3 when I need it to be TLS 1.2 for inbound SSL inspection to avoid ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors. How can I disable TLS 1.3?
A Microsoft article on Transport Layer Security (TLS) registry settings describes how this is done for SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, DTLS 1.0 and DTLS 1.2. There's no reason to believe this would be done any other way for TLS 1.3, although not yet documented.
It's also worth mentioning you'd only create keys to change the defaults from Protocols in TLS/SSL (Schannel SSP) – that explains why those keys don't exist by default.
Managing SSL/TLS Protocols and Cipher Suites for AD FS lists the actual registry keys better and also has PowerShell examples. The following is modified from there.
...using .reg file (Registry Editor):
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.3Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
...using PowerShell:
New-Item `
'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.3Server' `
-Force | Out-Null
New-ItemProperty `
-path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.3Server' `
-name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty `
-path 'HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.3Server' `
-name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null
Answered by Esa Jokinen on November 16, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP