Kaseya Community

TSL 1.0 and 1.1

  • Hey everyone,

    I would like to know what everyone is doing about the disabling/removal of TSL 1.0 and 1.1 from some programs like Office 365. I'm not very clear on who needs to be concerned about these changes. Do average users need to make sure that their TSL 1.0 and 1.1 are disabled on the OS level? Is it just servers offering services and such that need to disable them?

    Any thoughts or information would be appreciated!


  • Blah, it's suppose to be TLS not TSL!!

  • Hi Rob, for Office 365 (at least) you don't need to disable TLS 1.0 or TLS 1.1 on the clients, you just need to ensure TLS 1.2 is available. More generally speaking TLS 1.0 and TLS 1.1 are still regarded as 'secure' but SSL 3.0 has known weaknesses so it's good practice to disable SSL 3.0 (and lower) on the client OS level to prevent potential downgrade attacks.

    I suggest reading this carefully - support.microsoft.com/.../preparing-for-tls-1-2-in-office-365 where Microsoft says "By October 31, 2018, all client-server and browser-server combinations should use TLS version 1.2 (or a later version) to ensure connection without issues to Office 365 services. This may require updates to certain client-server and browser-server combinations."

    There are two different mechanisms Windows uses to establish secure connections - Schannel and WinHTTP. Much of the OS (including IE11) uses Schannel but Outlook (for example) relies on WinHTTP as well. Accordingly you need to make sure that both are enabled for TLS 1.2.

    More recent versions of Windows (Windows 8.1 onwards, Server 2012 R2 onwards) enable TLS 1.2 out of the box for both Schannel and WinHTTP so you will be unlikely to run into issues there unless you have specifically disabled TLS 1.2 support.

    Older versions (Windows 7, Server 2008 R2, Server 2012) shipped with TLS 1.2 enabled for Schannel but WinHTTP only got support for TLS 1.2 through updates released in mid 2016 (see support.microsoft.com/.../update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in). The kicker here is that installing the update isn't enough - you also need to configure several registry keys to ensure TLS 1.2 support is available. The article covers this but I'm confident *many* admins out there would have approved the update for installation but never followed up with the registry keys. Thankfully you presumably have Kaseya to help push out the necessary registry keys so this is easy enough to address.

    I also suggest reading this blog post as it covers the underlying issues really well and breaks things down into specific actions -  blogs.technet.microsoft.com/.../enabling-tls-1-1-and-1-2-in-outlook-on-windows-7

  • TLS 1.0 is now depreciated. www.lexiconn.com/.../pci-council-pushes-back-tls-1-0-end-of-life-date-to-june-2018

    See www.nartac.com/.../IISCrypto for a free, simple tool to enable and disable various protocols.

    Note you do need to reboot after any changes, for them to take effect.

    We also use www.ssllabs.com/ssltest to verify the security of our public-facing SSL sites.