How to enable TLS 1.2 on Windows Server 2008 R2

Problem

How to enable TLS 1.2 on Windows Server 2008 R2?

Resolution

QuoVadis recommends enabling and using the TLS 1.2 protocol on your server.  TLS 1.2 has improvements over previous versions of the TLS and SSL protocol which will improve your level of security.  By default, Windows Server 2008 R2 does not have this feature enabled.  This KB article will describe the process to enable this.

  1. Start the registry editor by clicking on Start and Run. Type in “regedit” into the Run field (without quotations).
  2. Highlight Computer at the top of the registry tree.  Backup the registry first by clicking on File and then on Export.  Select a file location to save the registry file.
  3. Browse to the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  4. Right click on the Protocols folder and select New and then Key from the drop-down menu. This will create new folder.  Rename this folder to TLS 1.2.
  5. Right click on the TLS 1.2 key and add two new keys underneath it.
  6. Rename the two new keys as:
    • Client
    • Server
  7. Right click on the Client key and select New and then DWORD (32-bit) Value from the drop-down list.
  8. Rename the DWORD to DisabledByDefault.
  9. Right-click the name DisabledByDefault and select Modify… from the drop-down menu.
  10. Ensure that the Value data field is set to 0 and the Base is Hexadecimal.  Click on OK.
  11. Create another DWORD for the Client key as you did in Step 7.
  12. Rename this second DWORD to Enabled.
  13. Right-click the name Enabled and select Modify… from the drop-down menu.
  14. Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.
  15. Repeat steps 7 to 14 for the Server key (by creating two DWORDs, DisabledByDefault and Enabled, and their values underneath the Server key).
  16. Reboot the server.

Your server should now support TLS 1.2.

Letsencrypt + Certbot

Letsencrypt provides free SSL certificates

Certbot automates re-newal and installation of the certificates

Install Certbot:

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache

Generate and install the certificate

$ certbot --apache

Generate the certificate only

$ certbot --apache certonly

Generate wildcard certificate

$ sudo certbot certonly --manual --preferred-challenges=dns --email yourname@yourdomain.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.yourdomain.com

Renewal

The Certbot packages on your system come with a cron job that will renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature.

$ sudo certbot renew --apache

Your connection is not private

Update 2/19/2017: I got a new certificate from www.sslforfree.com Now the site should work with all browsers.

 

If you were trying to access my blog recently with Google Chrome or Mozilla Firefox the chance is you have seen this warning:

Please, do not get alarmed – I am not trying to steal your information as Google suggests.

I am using a SSL certificate issued by StartCom (www.startssl.com)

StartCom was bought by company called WoSign. Google found that WoSign ” have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome”. Read the full story here: Distrusting WoSign and StartCom Certificates

If you use Internet Explorer you will not see this warning (as of today 2/12/2017).

In fact if you use online SSL checkers you will see there is no problem with the certificate. These are just some of them:

SSLShopper

DigiCert

SSLLabs

 

The issue is that Google decided to punish WoSign and I have certificates issued by their daughter company StartCom.

At this moment I am not sure what I am going to do. I have multiple web sites and purchasing certificates from another (trusted) company can be expensive. Alternatively I might opt to not using SSL and HTTPS at all.

Until I decide what to do my suggestion to you is to use Internet Explorer when accessing my sites. Thanks!