Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the difference between the DisabledByDefault and Enabled SSL/TLS registry keys on Microsoft Windows?

Microsoft provides best practices guidance for Transport Layer Security (TLS). This document describes registry keys that can enable or disable a specific protocol.

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry

For example, to enable TLS 1.2, you can add the following registry keys.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:FFFFFFFF

What is the difference between DisabledByDefault and Enabled? They seem redundant.

like image 275
Timothy Schoonover Avatar asked Jul 18 '18 15:07

Timothy Schoonover


People also ask

What is DisabledByDefault?

When DisabledByDefault flag is set to 1, SSL / TLS version X is not used by default. If an SSPI app requests to use this version of SSL / TLS, it will be negotiated. In a nutshell, SSL is not disabled when you use DisabledByDefault flag.

What is difference between SSL and TLS?

Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used.

How can I tell if TLS 1.2 is enabled in registry?

How to check if TLS 1.2 is enabled? If the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault is present, the value should be 0.

How do I know if TLS version is enabled in Windows?

1. Click on: Start -> Control Panel -> Internet Options 2. Click on the Advanced tab 3. Scroll to the bottom and check the TLS version described in steps 3 and 4: 4.


1 Answers

DisabledByDefault and Enabled are not redundant

When DisabledByDefault flag is set to 1, SSL / TLS version X is not used by default. If an SSPI app requests to use this version of SSL / TLS, it will be negotiated. In a nutshell, SSL is not disabled when you use DisabledByDefault flag.

When Enabled flag is set to 0, SSL / TLS version X is disabled and cannot be nagotiated by any SSPI app (even if DisabledByDefault flag is set to 0).

For more information, Microsoft documentation describes what SSL version is maintained or not, and how to disable it.

like image 139
Trevor65 Avatar answered Sep 19 '22 08:09

Trevor65