How to Enable and Disable SSL / TLS Versions on Forefront TMG

Posted May 5, 2014

In my previous article What everyone should know about HTTPS, SSL, TLS and Certificates, I covered the basics of cryptography protocols and I touched lightly on the point that SSL and TLS are generally interchangeable terms referring to the same thing.

In this article I will go a little deeper into the differences, and explain how to enable and disable SSL / TLS versions on Forefront TMG to ensure your internal sites are running the latest and greatest cryptographic protocol version.

The Heartbleed Vulnerability on Forefront TMG

The recent OpenSSL Heartbleed vulnerability identified a critical issue with any Unix / Linux appliance, device, web server or firewall as they all share common libraries. Any system using OpenSSL version 1.0.1 through to 1.0.1f is vulnerable.

Fortunately, Microsoft have their own crypto stack and do not rely OpenSLL at all. As such none of the Microsoft products are vulnerable. This includes Forefront TMG and any web site that you reverse proxy through it. To double check, you can use the online test from SSL Labs https://www.ssllabs.com/ssltest/

One thing to keep in mind is that Heartbleed only affects TLS and not SSL. If you are not sure what the difference is, keep reading.

The SSL / TLS Timeline

SSL is essential the predecessor to TLS. As you would expect, TLS has taken the basic principles and functionality of SSL and improved upon them.

Most people, including a large portion of IT pros, are surprised to hear that there is something other then SSL that does the same thing. When you suggest turning off SSL 2.0, it is often met with some caution and resistance.

To put things into perspective, take a look at the timeline for SSL and TLS versions and pay attention to the interval between protocol iterations.

  • SSL 1.0 (Never publicly used)
  • SSL 2.0 (1995)
  • SSL 3.0 (1996)
  • TLS 1.0 (1999)
  • TLS 1.1 (2006)
  • TLS 1.2 (2008)

Notice how SSL 2.0 only had about a year before it was superseded almost 20 years ago?!

SSL / TLS Browser Support

In practice, the majority of public web sites are using TLS. Browser support for TLS has followed closely behind the protocol release itself.

The first versions of browsers that added support for TLS are:

  • Internet Explorer 6
  • Firefox 1
  • Chrome 0
  • Opera 5
  • Safari 4

We are now at the point where all of these browsers in their latest version support TLS 1.2

Which SSL / TLS Version Gets Used?

During the SSL handshake process, the browser and the server elect which protocol to use. The default behavior is to always use the highest version that is supported on both sides. This automatically ensures the highest level of security.

You can influence this process by selectively enabling or disabling the setting on the client side.

In Internet Explorer the settings are located in Internet Options | Advanced. Scroll down to the Security section to find the various checkboxes to enable or disable the protocols.

Checking your Web Servers

A great way to get a very thorough evaluation of your secure web site is to scan the site with the Free SSL Server Test from SSL labs.

The scan only takes about a minute to complete and provides you with a nice set of results. Under the configuration section, the protocols and associated Cipher Suites are listed.

If you look at the protocols from this scan you can see that SSL 2.0 is supported but TLS 1.1. and TLS 1.2 are not.

This scan was run against a Forefront TMG server that reverse proxies a Windows Server 2012 R2 IIS server. By default 2012R support SSL 3.0 and up. The reason the scan only detects up to TLS version 1.0 is because Forefront TMG itself is limited to those protocols.

How to Enable and Disable SSL / TLS Versions

Support for the newer cryptographic protocols such as TLS 1.1 and 1.2 are provided to Windows through the Security Support Provider Interface (SSPI) API. As you may expect for something as granular as this, it needs to be done through the registry.

  • Open Regdit (Start | Run | Regedit)
  • Navigate to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  • Here you will need to create a key for each of the cryptographic protocols. Create keys named TLS 1.0 and TLS 1.1
  • Within each protocol key, create two sub keys. One named Client, the other named Server
  • Within each of the Client and Server keys, create a DWORD with the name EnabledA value of 1 enables the protocol where a value of 0 disables it.
  • Within each of the Client and Server keys, create another DWORD with the name DisabledByDefault. A value of 0 enables the protocol (i.e. not disabled by default).

When you are done you should have entries that look like this

You can also download and run this SSL TLS regfile or follow the steps from Microsoft directly:

Once the registry changes are made, you may need to restart your server. You can now re-run the SSL Labs test and you should get a better result.

Disabling SSL 2.0

While you were looking at the SSL 2.0 branch in the registry, you would have noticed en existing entry in the client node called DisabledByDefault. This is because SSL 2.0 has been deemed insecure and it is not recommended. As you can deduce from this, disabling SSL 2.0 on the server side would simply pull it inline with the default client configuration.

How to check SSL / TLS Versions in the browser

While browsing the Internet, you can check the client to see which protocol has been negotiated. To do this in Chrome:

  • Browse to a secure site
  • Click on the security padlock in the address bar
  • Select the Connection tab
  • The second section covers encryption

This is also handy if you would like to check your internal web servers that are not published to the Internet, preventing the SSL Labs test to be used.

Conclusion

Disabling SSL 2.0 is something that can almost always be done safely. It is something that gets checked by all security and audit scanning tools, and getting a bad score for supporting a protocol that is simply not used anymore is unnecessary.

Enabling the newer, more secure protocols will allow browsers to make use of the better security when possible. If you look at the logs of your reverse proxy traffic with a tool such as Webspy Vantage you will notice that HTTPS makes up a significant percentage of your traffic. Providing access to better security protocols is something all Forefront TMG admins should seriously consider.


Posted in , , , , , , , , ,

Etienne Liebetrau

Based in Cape Town, South Africa he is an IT Professional working in various environments building, testing and maintaining systems for a large national retail chain. An IT professional since 1996 Etienne has worked in various environments and is certified by Comptia, Dell and Microsoft.Etienne is the technical blogger and primary technical consultant for FixMyITsystem.com a solutions provider company based in Cape Town with a global client base.

fixmyitsystem.com
Follow me on twitter

Discussion

10 Comments
  1. Thanks for the helpful post. I could successfully follow the section “How to Enable and Disable SSL / TLS Versions”.
    After adding TLS1.2/Cleint keys, added the DWORD “Enabled” with the value 0. But it did not change the IE browser’s TLS/SSL settings. TLS1.2 is still enabled in the browser?.

    Why it is so?

    • Hi Shantha

      As far as I can tell, the registry affects the system behaviour and not application behaviour. If you would like to turn down IE for whatever reason, you would have to do it with a group policy and not using a registry setting

      Regards

  2. Thanks for you kind reply.
    I could change the ssl/tls settings on Internet Explorer using following steps:
    1. Open Regdit (Start | Run | Regedit)
    2. Navigate to the registry key: Software\Microsoft\Windows\CurrentVersion\Internet Settings
    3. Double click on the “SecureProtocols” key and edit the value by entering hexadecimal numbers.
    Hexadecimal values for enabling TLS1.0, TLS1.1, TLS1.2, SSLv1 and SSLv3 on Internet explorer is 80,200,800,8 and 20 respectively.

    Thanks,
    Shantha D

  3. Does this instruction work for both IIS6 and IIS7? Thank you.

  4. on win2k8 OS i m using winhttpsetoption to set the security protocol ( TLS 1 or TLS1.1 or TLS 1.2 ) .

    It is returning false on win2k8, but on win2k8 R2 it is returning true.

    what could be the issue any help/ suggestion will be grateful

    Thanks,
    Raghu

  5. Nice post! Thanks

    I’ve applied it to disable SSLv2 and SSLv3 and enabled TLS1.0 and TLS1.2

    My System logs are flooded with “Schannel EventID 36888”. Is this a normal behaviour?
    Any way to avoid it (withoud disabling schannel verbose)?

    Thanks
    SomoIT.net

  6. Hello All,

    Please how can i write a script that can enable protocols TLS 1.0, 1.1, 1.2 and SSL 3.0 on my website such that when people visit my site via Internet Explorer version 10 downwards, they will not have any problems accessing the site.

    NOTE: The VM running the wesbsite server is a linux environment.

    INI

  7. Hi ,

    Is there any way I can disable TLS 1.2 in linux system using chrome or any other browser?? I want to disable TLS 1.2 in my linux system .

Leave a Response

If you have a question or comment, or just need to get in touch, please use the form below.