Showing results for 
Search instead for 
Did you mean: 

TLS 1.2 Windows 2008 SP2 server

Hello everyone,


I still have a box running Windows server 2008 SP2. Deployed .net framework 4.5.2 and verified that indeed the .net framework version used is 4.5.2


I have disabled all protocols except TLS 1.2 (set the Enabled registry key for the other to 0). Set the SchUseStrongCrypto key under WOW6432Node\Microsoft\.NETFramework\v4.0.30319 to 1. Set ciphers and cipher suites order. 


Unfortunately I am still not able to use anymore (using I have ASPDotNetStoreFront 9.5.1 ecommerce solution and according to them is TLS 1.2 ready. When I try to process a payment I get "Error connecting to payment gateway".


I've put the following code:

Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0") "GET", "", False
Response.Write objHttp.responseText 
Set objHttp = N...

in a quick test asp file and when I hit that from a remote location I get the following:

{"given_cipher_suites":["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"],"ephemeral_keys_supported":true,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":true,"insecure_cipher_suites":{},"tls_version":"TLS 1.0","rating":"Bad"}


If I go to on the server in Chrome it comes back reporting TLS 1.2. 


SSLlabs gives me 100 for Certificate and Protocol Support, 90 for Key Exchange and only 70 for Cipher Strength most likely due to Window 2008 not supporting GCM ciphers.


This is what I have for Protocols reported by ssllabs:

TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

And this is what I have for cipher suites: 

Cipher Suites

# TLS 1.2 (suites in server-preferred order)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits RSA)   FS128





Any ideas what might be happening and if there is anything I can do short of migrating? Do I have to have GCM ciphers?


Thank you so much for any help!!!! It has been some crazy now more than 24h.


Interesting enough using C# it reports similar to the browser:


using System;
using System.Net;
using System.IO;

namespace howsMySSL
    public partial class Default : System.Web.UI.Page
        protected void Page_Load(object sender, EventArgs e)
            System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
            var response = WebRequest.Create("").GetResponse();
            var responseData = new StreamReader(response.GetResponseStream()).ReadToEnd();



{"given_cipher_suites":["TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA"],"ephemeral_keys_supported":true,"session_ticket_supported":false,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.2","rating":"Probably Okay"}


Arghh, as soon as I post here and go back to try again, of course it works ---sighs---


The one thing that I did different after reading a different post here (THANK YOU SO MUCH FOR THAT) was setting this registry key:


Set the SchUseStrongCrypto key under WOW6432Node\Microsoft\.NETFramework\v4.0.30319 to 1


That defaults the .net framework to TLS1.2


Again, thank you for that hint!!!!!