Enabling TLS 1.2 Support and Blocking Weak Ciphers on CxManager

Owned by David P (Deactivated)
Last updated: Feb 21, 2021 by Eliezer Basner (Unlicensed)
4 min read

TLS 1.1 is being phased out for all major browsers such as Chrome, Firefox, Safari and Edge.

TLS (Transport Layer Security) and its now-deprecated predecessor, SSL (Secure Sockets Layer) are cryptographic protocols designed to provide communications security over a computer network. Websites can use TLS to secure all communications between their servers and web browsers. The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.

Sensitive data such as user credentials and credit card information must be protected when it is transmitted over the network and the ciphers in use during secure communications via SSL and TLS 1.1 are too weak. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission. Even if high grade ciphers are supported and used today, some misconfiguration in the server may force users of a weak cipher or no encryption at all to grant access to the supposedly secure communication channel.

Enabling TLS 1.2 Support

Support for TLS 1.2 can be enabled via the Windows registry on the CxManager host. TLS 1.2 can be enabled manually or automatically from the CxManager host as explained below.

  • TLS 1.2 requires SQL Server 11.0.5388.0 or higher. Older SQL server versions do not support TLS 1.2.
  • It is strongly recommended to disable weak ciphers. The relevant ciphers are listed at the end of this document.

Enabling TLS 1.2 Automatically

1. Download the attached registry file (TLS1.2.reg) to the CxManager desktop.

 Click here to view the content

2. Right click and select Merge.

3. Restart the server.

Enabling TLS 1.2 Manually

1. Start the Registry editor. To do so, enter regedit in the Windows search field. The Registry Editor appears.

 a. Enable TLS 1.2 client keys
  1. In the Registry Editor, browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  2. Right-click the Protocols folder, select New | Key. Rename this key/folder TLS 1.2.
  3. Right-click the TLS 1.2 key/folder and select New | Key again. Rename this key/folder Client.
  4. Right-click the Client key/folder and select New | DWORD (32-bit) Value. Rename the DWORD to DisabledByDefault and make sure that the value is set to 0 as illustrated below.
  5. Right-click the Client key/folder and select New | DWORD (32-bit) Value. Rename the DWORD to Enabled.  Set the value to 1.
    To set the value to 1, right-click Enabled, select Modify... from the shortcut menu and under Value Data, change the value to 1

 b. Configure .NET to use TLS 1.2
  1. In the Registry Editor, browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319
  2. Right click inside the right pane and create a new DWORD (32-bit) Value. Rename the DWORD to SchUseStrongCrypto.  Set the value to 1.
    To set the value to 1, right-click Enabled, select Modify... from the shortcut menu and under Value Data, change the value to 1.
  3. In the Registry Editor, browse to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319
  4. Repeat step 3.b.

2. Restart the server.

Disabling Weak Ciphers

Contact your administrators or IT personnel to disable the relevant ciphers.

 List of ciphers to be disabled

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_NULL_SHA256

TLS_RSA_WITH_NULL_SHA

TLS_PSK_WITH_AES_256_GCM_SHA384

TLS_PSK_WITH_AES_128_GCM_SHA256

TLS_PSK_WITH_AES_256_CBC_SHA384

TLS_PSK_WITH_AES_128_CBC_SHA256

TLS_PSK_WITH_NULL_SHA384

TLS_PSK_WITH_NULL_SHA256

.