Greetings, The recent Poodle issues and Microsoft's broken patch (MS14-006) have now made it necessary for me to actually understand secure connections to our web applications because it appears that when the user can't connect to a web server it is my web application that is broken :-^
For the life of me I can't find a single definitive source as to what the registry keys actually mean. There's plenty of "do it this way" instructions but I don't believe in magic so I want to understand what the effects of changing the keys are likely to be. There are tantalising fragments, of the information I want, at various web sites but I haven't found a good description anywhere yet. Does anybody know of a resource I can access that explains why certain key would be needed and what the effects of the different settings are likely to be? The keys I'm interested in live at:- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ And I've read a number of articles from various sites:- https://www.nartac.com/blog/post/2013/04/19/IIS-Crypto-Explained.aspx http://support2.microsoft.com/kb/2588513 http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html http://serverfault.com/questions/637195/is-there-any-reason-why-tls-1-1-and-1-2-are-disabled-on-windows-server-2008-r2 http://books.google.com.au/books?id=fQOLBAAAQBAJ&pg=PA448&lpg=PA448&dq=schannel+registry+keys+explained&source=bl&ots=sFcqPREgO9&sig=SUGeh2vCMkCdLOCqGlitcEt2wTw&hl=en&sa=X&ei=IOJrVK2gPISxmwWkloHICQ&ved=0CD0Q6AEwBTgU#v=onepage&q=schannel%20registry%20keys%20explained&f=false http://www.adminhorror.com/2011/10/enable-tls-11-and-tls-12-on-windows_1853.html http://support2.microsoft.com/default.aspx?scid=kb;EN-US;245030 If there is no reasonable reference documentation could someone please answer the following questions:- What is the the real effect of DisabledByDefault on both Server and Client sub-keys? Are there any nonsense combinations of keys or key values for DisabledByDefault and Enabled? When would I need to set both Server and Client Keys? Is it good practice to explicitly set all these keys or is it OK to rely on system defaults for keys that are absent? (I know half the answer to this one because although Windows Server 2008R2 supports TLS 1.1 & 1.2 it will only use them if they are explicitly enabled in this registry hive!) -- Regards, noonie
