How to Configure Microsoft Windows 7 to Use TLS Version 1.2
Overview
This document explains how to configure your Microsoft Windows® 7 workstation and Microsoft Outlook® 2010 mail clients to use Transport Layer Security (TLS) protocol version 1.2.
-
We support TLS version 1.2.
- We strongly recommend that you enable TLSv1.2 on your server.
-
The instructions in this document only pertain to servers that run the Windows 7 operating system.
-
We strongly recommend that you do not adjust the cipher and protocol settings for the Exim and Dovecot services on Windows 7. Servers on this operating system fail PCI compliance scans because of unpatched security vulnerabilities that exist in the following mail clients:
- Outlook 2007.
- Outlook 2010.
Create registry keys
Install Windows update
You must download and install the KB3140245
Windows update from the Microsoft Update Catalog. This update will create the registry key paths in which you will create new registry keys. These registry keys will allow you to enable TLSv1.2 on your server.
After you download and install the update, you must restart your workstation for the changes to take effect.
Add a registry key for Windows HTTP services
To add a registry key for Windows HTTP services, perform the following steps:
- From the Windows Start menu, enter
regedit.exe
in the Search text box. - Click regedit.exe to open the Registry Editor.
-
Navigate to the following registry path:
HKEY_LOCAL_MACHINE</span>SOFTWARE</span>Microsoft</span>Windows</span>CurrentVersion</span>Internet Settings
-
Select the
WinHttp
key. -
From the Menu bar, click Edit, select New, and click DWORD (32-bit) Value.
Note:On 64-bit systems, click QWORD (64-bit) Value. -
Enter
DefaultSecureProtocols
as the DWORD value’s name. -
Right-click the file and select Modify from the Context menu.
-
Enter
A00
in the Value Data text box and click OK.Important:If your workstation runs on a 64-bit system, you must also perform steps 5-8 for the following key:
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionInternet SettingsWinHttp
Add a registry key for the TLS directories
To add registry keys for TLS versions 1.1 and 1.2, perform the following steps:
-
Navigate to the following registry path:
HKEY_LOCAL_MACHINE</span>SYSTEM</span>CurrentControlSet</span>Control</span>SecurityProviders</span>SCHANNEL</span>Protocols</span>TLS 1.1
-
Select the
Client
key. -
From the Menu bar, click Edit, select New, and click DWORD (32-bit) Value.
Remember:On 64-bit systems, click QWORD (64-bit) Value. -
Enter
DisabledByDefault
as the DWORD value’s name. -
Right-click the file and select Modify from the Context menu.
-
Enter
0
in the Value Data text box and click OK. -
Navigate to the TLS1.2 registry path and open the Client key.
-
Repeat steps 2-6 and click OK.
Apply the settings.
After you modify your registry keys, you must restart your workstation to apply the registry settings. When your workstation restarts, create a test email account in Microsoft Outlook and configure the following settings in the Advanced section of Microsoft Outlook’s Internet E-Mail Settings interface:
- Enter
993
in the Incoming Server (IMAP) text box or 995 in the Incoming Server (POP3) text box. - Enter
465
in the Outgoing Server (SMTP) text box.
After you finish, click OK. Your Microsoft Outlook account will now successfully connect to your cPanel server’s mail services.
Installation scripts
We created two scripts that will automatically perform the actions that this document describes. To use these scripts, perform the following steps:
- Open the Windows PowerShell application.
- Navigate to the directory of you choice.
- Create the
install-kb.ps1
andtls-reg-edit.ps1
files. -
Open the
install-kb.ps1
file with a text editor and add the following information:Click to view…
Note:This script downloads and installs the KB3140245 Windows update.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Import-Module BitsTransfer $arch=(Get-WmiObject -Class Win32_operatingsystem).Osarchitecture If ($arch -eq "32-bit") { $kbUrl32 = "http://download.windowsupdate.com/c/msdownload/update/software/updt/2016/04/windows6.1-kb3140245-x86_cdafb409afbe28db07e2254f40047774a0654f18.msu" $kb32 = "windows6.1-kb3140245-x86_cdafb409afbe28db07e2254f40047774a0654f18.msu" Start-BitsTransfer -source $kbUrl32 wusa $kb32 /log:install.log } Else { $kbUrl64 = "http://download.windowsupdate.com/c/msdownload/update/software/updt/2016/04/windows6.1-kb3140245-x64_5b067ffb69a94a6e5f9da89ce88c658e52a0dec0.msu" $kb64 = "windows6.1-kb3140245-x64_5b067ffb69a94a6e5f9da89ce88c658e52a0dec0.msu" Start-BitsTransfer -source $kbUrl64 wusa $kb64 /log:install.log }
-
Open the
tls-reg-edit.ps1
file with a text editor and add the following information:Click to view…
Note:This script creates registry keys in the following files:
1 2 3 4
HKEY_LOCAL_MACHINE</span>SOFTWARE</span>Microsoft</span>Windows</span>CurrentVersion</span>Internet Settings</span>WinHttp HKEY_LOCAL_MACHINE</span>SOFTWARE</span>Wow6432Node</span>Microsoft</span>Windows</span>CurrentVersion</span>Internet Settings</span>WinHttp HKEY_LOCAL_MACHINE</span>SYSTEM</span>CurrentControlSet</span>Control</span>SecurityProviders</span>SCHANNEL</span>Protocols</span>TLS 1.1 HKEY_LOCAL_MACHINE</span>SYSTEM</span>CurrentControlSet</span>Control</span>SecurityProviders</span>SCHANNEL</span>Protocols</span>TLS 1.2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
$arch=(Get-WmiObject -Class Win32_operatingsystem).Osarchitecture $reg32bWinHttp = "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsWinHttp" $reg64bWinHttp = "HKLM:SOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionInternet SettingsWinHttp" $regWinHttpDefault = "DefaultSecureProtocols" $regWinHttpValue = "0x00000a00" $regTLS11 = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client" $regTLS12 = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client" $regTLSDefault = "DisabledByDefault" $regTLSValue = "0x00000000" Clear-Host Write-Output "Creating Registry Keys...`n" Write-Output "Creating registry key $reg32bWinHttp$regWinHttpDefault with value $regWinHttpValue" IF(!(Test-Path $reg32bWinHttp)) { New-Item -Path $reg32bWinHttp -Force | Out-Null New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null } ELSE { New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null } IF($arch -eq "64-bit") { Write-Output "Creating registry key $reg64bWinHttp$regWinHttpDefault with value $regWinHttpValue" IF(!(Test-Path $reg64bWinHttp)) { New-Item -Path $reg64bWinHttp -Force | Out-Null New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null } ELSE { New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null } } Write-Output "Creating registry key $regTLS11$regTLSDefault with value $regTLSValue" IF(!(Test-Path $regTLS11)) { New-Item -Path $regTLS11 -Force | Out-Null New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null } ELSE { New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null } Write-Output "Creating registry key $regTLS12$regTLSDefault with value $regTLSValue" IF(!(Test-Path $regTLS12)) { New-Item -Path $regTLS12 -Force | Out-Null New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null } ELSE { New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null } Write-Output "`nComplete!"
-
Run the scripts from the directory in which you saved the files, for example:
1 2
Set-ExecutionPolicy Bypass -Scope Process ; .install-kb.ps1 Set-ExecutionPolicy Bypass -Scope Process ; .tls-reg-edit.ps1
-
Restart your workstation for the changes to take effect.