Solving the TLS 1.0 Problem (2024)

  • Article

This document presents the latest guidance on rapidly identifying and removing Transport Layer Security (TLS) protocol version 1.0 dependencies in software built on top of Microsoft operating systems, following up with details on product changes and new features delivered by Microsoft to protect your own customers and online services. It is intended to be used as a starting point for building a migration plan to a TLS 1.2+ network environment. While the solutions discussed here may carry over and help with removing TLS 1.0 usage in non-Microsoft operating systems or crypto libraries, they are not a focus of this document.

TLS 1.0 is a security protocol first defined in 1999 for establishing encryption channels over computer networks. Microsoft has supported this protocol since Windows XP/Server 2003. While no longer the default security protocol in use by modern OSes, TLS 1.0 is still supported for backwards compatibility. Evolving regulatory requirements as well as new security vulnerabilities in TLS 1.0 provide corporations with the incentive to disable TLS 1.0 entirely.

Microsoft recommends customers get ahead of this issue by removing TLS 1.0 dependencies in their environments and disabling TLS 1.0 at the operating system level where possible. Given the length of time TLS 1.0 has been supported by the software industry, it is highly recommended that any TLS 1.0 deprecation plan include the following:

  • Code analysis to find/fix hardcoded instances of TLS 1.0 or older security protocols.

  • Network endpoint scanning and traffic analysis to identify operatingsystems using TLS 1.0 or older protocols.

  • Full regression testing through your entire application stack withTLS 1.0 disabled.

  • Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2 by default.

  • Compatibility testing across operating systems used by your businessto identify any TLS 1.2 support issues.

  • Coordination with your own business partners and customers to notifythem of your move to deprecate TLS 1.0.

  • Understanding which clients may no longer be able to connect to your servers once TLS 1.0 is disabled.

The goal of this document is to provide recommendations which can help remove technical blockers to disabling TLS 1.0 while at the same time increasing visibility into the impact of this change to your own customers. Completing such investigations can help reduce the business impact of the next security vulnerability in TLS 1.0. For the purposes of this document, references to the deprecation of TLS 1.0 also include TLS 1.1.

Enterprise software developers have a strategic need to adopt more future-safe and agile solutions (otherwise known as Crypto Agility) to deal with future security protocol compromises. While this document proposes agile solutions to the elimination of TLS hardcoding, broader Crypto Agility solutions are beyond the scope of this document.

The Current State of Microsoft's TLS 1.0 implementation

Microsoft's TLS 1.0implementation is freeof known security vulnerabilities. Due to the potential for futureprotocol downgradeattacks and other TLS 1.0vulnerabilities not specific to Microsoft's implementation, it isrecommended that dependencies on all security protocols older than TLS1.2 be removed where possible (TLS 1.1/1.0/ SSLv3/SSLv2).

In planning for this migration to TLS 1.2+, developers and systemadministrators should be aware of the potential for protocol versionhardcoding in applications developed by their employees andpartners. Hardcoding here means that the TLS version is fixed to a version that is outdated and less secure than newer versions. TLS versions newer than the hardcoded version cannot be used without modifying the program in question. This class of problem cannot be addressed without source code changes and software update deployment. Protocol version hardcoding was commonplace in the past fortesting and supportability purposes as many different browsers andoperating systems had varying levels of TLS support.

Supported versions of TLS in Windows

Many operating systems have outdated TLS version defaults or support ceilings that need to be accounted for.

Figure 1: Security Protocol Support by OS Version

Windows OSSSLv2SSLv3TLS 1.0TLS 1.1TLS 1.2TLS 1.3
Windows VistaEnabledEnabledEnabledNot SupportedNot SupportedNot Supported
Windows Server 2008EnabledEnabledEnabledDisabled*Disabled*Not Supported
Windows 7 (WS2008 R2)EnabledEnabledEnabledDisabled*Disabled*Not Supported
Windows 8 (WS2012)DisabledEnabledEnabledEnabledEnabledNot Supported
Windows 8.1 (WS2012 R2)DisabledEnabledEnabledEnabledEnabledNot Supported
Windows 10DisabledEnabledEnabledEnabledEnabledNot Supported
Windows 11DisabledEnabledEnabledEnabledEnabledEnabled
Windows Server 2016Not SupportedDisabledEnabledEnabledEnabledNot Supported
Windows Server 2016Not SupportedDisabledEnabledEnabledEnabledNot Supported
Windows Server 2019Not SupportedDisabledEnabledEnabledEnabledNot Supported
Windows Server 2019 GS editionNot SupportedDisabledDisabledDisabledEnabledNot Supported
Windows Server 2022Not SupportedDisabledDisabledDisabledEnabledEnabled

Windows Server 2019 GS edition is Microsoft SDL compliant, TLS 1.2 only with a restricted set of cipher suites.

Windows Server 2022 edition is Microsoft SDL compliant, TLS 1.2 and TLS 1.3 only with a restricted set of cipher suites.

TLS 1.1/1.2 can be enabled on Windows Server 2008 via this optional Windows Update package.

For more information on TLS 1.0/1.1 deprecation in IE/Edge, see Modernizing TLS connections in Microsoft Edge and Internet Explorer 11, Site compatibility-impacting changes coming to Microsoft Edge and Disabling TLS/1.0 and TLS/1.1 in the new Edge Browser

A quick way to determine what TLS version will be requested by variousclients when connecting to your online services is by referring to theHandshake Simulation at Qualys SSL Labs.This simulation covers client OS/browser combinations acrossmanufacturers. See AppendixAat the end of this document for a detailed example showing the TLSprotocol versions negotiated by various simulated client OS/browsercombinations when connecting

If not already complete, it is highly recommended to conduct aninventory of operating systems used by your enterprise, customers andpartners (the latter two via outreach/communication or at least HTTPUser-Agent string collection). This inventory can be furthersupplemented by traffic analysis at your enterprise network edge. Insuch a situation, traffic analysis will yield the TLS versionssuccessfully negotiated by customers/partners connecting to yourservices, but the traffic itself will remain encrypted.

Microsoft's Engineering Improvements to eliminate TLS 1.0 dependencies

Since the v1 release of this document, Microsoft has shipped a number of software updates and new features in support of TLS 1.0 deprecation. These include:

  • IIS custom logging to correlate client IP/user agent string, service URI, TLS protocol version and cipher suite.

    • With this logging, admins can finally quantify their customers' exposure to weak TLS.
  • SecureScore - To help Office 365 tenant admins identify their own weak TLS usage, the SecureScore portal has been built to share this information as TLS 1.0 exited support in Office 365 in October 2018.

    • This portal provides Office 365 tenant admins with the valuable information they need to reach out to their own customers who may be unaware of their own TLS 1.0 dependencies.

    • Please visit for more information.

  • .Net Framework updates to eliminate app-level hardcoding and prevent framework-inherited TLS 1.0 dependencies.

  • Developer Guidance and software updates have been released to help customers identify and eliminate .Net dependencies on weak TLS: Transport Layer Security (TLS) best practices with the .NET Framework

    • FYI: All apps targeting .NET 4.5 or below are likely going to have to be modified in order to support TLS 1.2.
  • TLS 1.2 has been backported to Windows Server 2008 SP2 and XP POSReady 2009 to help customers with legacy obligations.

  • More announcements will be made in early 2019 and communicated in subsequent updates of this document.

Finding and fixing TLS 1.0 dependencies in code

For products using the Windows OS-provided cryptography libraries andsecurity protocols, the following steps should help identify anyhardcoded TLS 1.0 usage in your applications:

  1. Identify all instances ofAcquireCredentialsHandle().This helps reviewers get closer proximity to code blocks where TLSmay be hardcoded.

  2. Review any instances of theSecPkgContext_SupportedProtocolsandSecPkgContext_ConnectionInfostructures for hardcoded TLS.

  3. In native code, set any non-zero assignments ofgrbitEnabledProtocolsto zero. This allows the operating system to use its default TLSversion.

  4. Disable FIPSModeif it is enabled due to the potential for conflict with settingsrequired for explicitly disabling TLS 1.0/1.1 in this document. SeeAppendixB formore information.

  5. Update and recompile any applications using WinHTTP hosted on Server2012 or older.

    1. Managed apps – rebuild and retarget against the latest .NET Framework version

    2. Applications must add code to support TLS 1.2 viaWinHttpSetOption

  6. To cover all the bases, scan source code and online serviceconfiguration files for the patterns below corresponding toenumerated type values commonly used in TLS hardcoding:

    1. SecurityProtocolType

    2. SSLv2, SSLv23, SSLv3, TLS1, TLS 10, TLS11


    4. SP_PROT_

    5. NSStreamSocketSecurityLevel


The recommended solution in all cases above is to remove the hardcoded protocol version selection and defer to the operating system default. If you are using DevSkim, click here to see rules covering the above checks which you can use with your own code.

Windows PowerShell uses .NET Framework 4.5, which does not include TLS 1.2 as an available protocol. To work around this, two solutions are available:

  1. Modify the script in question to include the following:

    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
  2. Add a system-wide registry key (e.g. via group policy) to any machine that needs to make TLS 1.2 connections from a .NET app. This will cause .NET to use the "System Default" TLS versions which adds TLS 1.2 as an available protocol AND it will allow the scripts to use future TLS Versions when the OS supports them. (e.g. TLS 1.3)

    reg add HKLM\SOFTWARE\Microsoft.NETFramework\v4.0.30319 /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f /reg:64

    reg add HKLM\SOFTWARE\Microsoft.NETFramework\v4.0.30319 /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f /reg:32

Solutions (1) and (2) are mutually-exclusive, meaning they need not be implemented together.

Rebuild/retarget managed applications using the latest .Net Framework version

Applications using .NET framework versions prior to 4.7 may have limitations effectively capping support to TLS 1.0 regardless of the underlying OS defaults. Refer to the below diagram and Transport Layer Security (TLS) best practices with the .NET Framework for more information.

Solving the TLS 1.0 Problem (1)

SystemDefaultTLSVersion takes precedence over app-level targeting of TLS versions. The recommended best practice is to always defer to the OS default TLS version. It is also the only crypto-agile solution that lets your apps take advantage of future TLS 1.3 support.

If you are targeting older versions of .NET Framework such as 4.5.2 or 3.5, then by default your application will use the older and not recommended protocols such as SSL 3.0 or TLS 1.0. It is strongly recommended that you upgrade to newer versions of .NET Framework such as .NET Framework 4.6 or set the appropriate registry keys for 'UseStrongCrypto'.

Testing with TLS 1.2+

Following the fixes recommended in the section above, products should beregression-tested for protocol negotiation errors and compatibility withother operating systems in your enterprise.

  • The most common issue in this regression testing will be a TLSnegotiation failure due to a client connection attempt from anoperating system or browser that does not support TLS 1.2.

    • For example, a Vista client will fail to negotiate TLS with aserver configured for TLS 1.2+ as Vista's maximum supported TLSversion is 1.0. That client should be either upgraded ordecommissioned in a TLS 1.2+ environment.
  • Products using certificate-based Mutual TLS authentication mayrequire additional regression testing as the certificate-selectioncode associated with TLS 1.0 was less expressive than that for TLS1.2.

    • If a product negotiates MTLS with a certificate from anon-standard location (outside of the standard named certificatestores in Windows), then that code may need updating to ensurethe certificate is acquired correctly.
  • Service interdependencies should be reviewed for trouble spots.

    • Any services which interoperate with 3rd-partyservices should conduct additional interop testing with those3rd parties.

    • Any non-Windows applications or server operating systems in userequire investigation / confirmation that they can support TLS1.2. Scanning is the easiest way to determine this.

A simple blueprint for testing these changes in an online serviceconsists of the following:

  1. Conduct a scan of production environment systems to identifyoperating systems which do not support TLS 1.2.

  2. Scan source code and online service configuration files forhardcoded TLS as described in "Finding and fixing TLS 1.0dependencies incode"

  3. Update/recompile applications as required:

    1. Managed apps

      1. Rebuild against the latest .NET Framework version.

      2. Verify any usage of theSSLProtocolsenumeration is set to SSLProtocols.None in order to use OSdefault settings.

    2. WinHTTP apps – rebuild withWinHttpSetOptionto support TLS 1.2

  4. Start testing in a pre-production or staging environment with allsecurity protocols older than TLS 1.2 disabled viaregistry.

  5. Fix any remaining instances of TLS hardcoding as they areencountered in testing. Redeploy the software and perform a newregression test run.

Notifying partners of your TLS 1.0 deprecation plans

After TLS hardcoding is addressed and operating system/developmentframework updates are completed, should you opt to deprecate TLS 1.0 itwill be necessary to coordinate with customers and partners:

  • Early partner/customer outreach is essential to a successful TLS 1.0deprecation rollout. At a minimum this should consist of blogpostings, whitepapers or other web content.

  • Partners each need to evaluate their own TLS 1.2 readiness throughthe operating system/code scanning/regression testing initiativesdescribed in above sections.


Removing TLS 1.0 dependencies is a complicated issue to drive end toend. Microsoft and industry partners are taking action on this today toensure our entire product stack is more secure by default, from our OScomponents and development frameworks up to the applications/servicesbuilt on top of them. Following the recommendations made in thisdocument will help your enterprise chart the right course and know whatchallenges to expect. It will also help your own customers become moreprepared for thetransition.

Appendix A: Handshake Simulation for various clients connecting to, courtesy

Solving the TLS 1.0 Problem (2)

Appendix B: Deprecating TLS 1.0/1.1 while retaining FIPS Mode

Follow the steps below if your network requires FIPS Mode but you alsowant to deprecate TLS 1.0/1.1:

  1. Configure TLS versions via theregistry,by setting "Enabled" to zero for the unwanted TLS versions.

  2. Disable Curve 25519 (Server 2016 only) via Group Policy.

  3. Disable any cipher suites using algorithms that aren't allowed bythe relevant FIPS publication. For Server 2016 (assuming the defaultsettings are in effect) this is means disabling RC4, PSK and NULLciphers.

Contributors/Thanks to

Mark Cartwright
Bryan Sullivan
Patrick Jungles
Michael Scovetta
Tony Rice
David LeBlanc
Mortimer Cook
Daniel Sommerfeld
Andrei Popov
Michiko Short
Justin Burke
Gov Maharaj
Brad Turner
Sean Stevenson

Solving the TLS 1.0 Problem (2024)


How do you solve TLS problems? ›

Incorrect system time: A TLS error happens when the system clock is different from the actual time. Since an SSL/TLS certificate specifies a validity time frame, a mismatch in date/time can lead to a handshake failure. The user can fix this error by correcting the system time and date.

How do I fix TLS 1.0 TLS 1.1 and TLS 1.2 in advanced settings? ›

Open the Tools menu (click on the tools icon or type Alt - x) and select Internet options. Select the Advanced tab. Scroll down to the bottom of the Settings section. If TLS is not enabled, select the checkboxes next to Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2.

How do you check if TLS 1.0 is being used on a server? ›

How to check the specific TLS version that is used by the applications
  1. Start Wireshark on Desktop Client, and set the Server IP address as the Host filter.
  2. Apply a display filter with the following parameters: tcp.port == 7001 && tls. ...
  3. When you check the column Protocol, you'll see TLS is used.
Jul 5, 2024

How to resolve TLS version 1.1 protocol deprecated? ›

Enable TLS 1.2 and Disable TLS 1.0 and TLS 1.1

To help protect against this vulnerability, you need to disable some older protocols by making changes in the SSL configuration file. The location of this file depends on what kind of service you are running for example Apache, Nginx etc.

How do I fix TLS settings? ›

The fix is easy: In the windows search box, near the Windows Start button, type Internet Options. Open the result Internet options - control panel. Then click the Advanced tab. Scroll down in the long list to security and make sure use TLS 1.2 is checked.

How do I fix an SSL TLS error? ›

These issues can be fixed by changing the configuration or the code of the web server or by contacting the web service provider. Some of the common causes of the error are: The web server does not support the SSL/TLS protocol version that your application is using.

What is turn on TLS 1.0 error? ›

The error "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in advanced settings" typically occurs when a website or service is configured to only allow connections using the Transport Layer Security (TLS) protocol version 1.0, 1.1 or 1.2, but your browser or client is not configured to use those versions.

How to check TLS settings? ›

Click Start or press the Windows key. In the Start menu, either in the Run box or the Search box, type regedit and press Enter. The Registry Editor window should open and look similar to the example shown below. Check the subkeys for each SSL/TLS version for both server and client.

How do I update my TLS version? ›

Under TLS Versions, you will see the TLS protocol version(s) currently selected. To update the protocol, simply click edit. Next, choose your desired protocol based on your requirements and hit Save Changes. Please note that you can not disable TLS v1.

How do I ensure TLS 1.0 is disabled? ›

Open registry on your server by running regedit in the run window. Navigate to the below location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols . Now change DWORD values under Server and Client under TLS 1.0: DisabledByDefault [Value = 0] and Enabled [Value = 0] .

Why is TLS 1.0 bad? ›

TLS 1.0 and 1.1 are vulnerable to downgrade attacks since they rely on SHA-1 hash for the integrity of exchanged messages. Even authentication of handshakes is done based on SHA-1, which makes it easier for an attacker to impersonate a server for MITM attacks.

How to disable TLS version 1.0 protocol detection? ›

To disable TLS 1.0 for client or server, change the DWORD value to 0. If an SSPI app requests to use TLS 1.0, it will be denied. To disable TLS 1.0 by default, create a DisabledByDefault entry and change the DWORD value to 1. If an SSPI app explicitly requests to use TLS 1.0, it may be negotiated.

How to turn on TLS 1.0 TLS 1.1 and TLS 1.2 in advanced settings? ›

Click the Tools icon (gear symbol) in the upper right hand corner of the browser and click Internet Options. In the Internet Options window, select the Advanced tab. In the Advanced tab, under Settings, scroll down to the Security section. In the Security section, check Use TLS 1.1 and Use TLS 1.2.

How to enable TLS 1.0 and 1.1 in Windows 10? ›

Re-enabling TLS 1.0 and 1.1

When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC). If you must edit the registry, use extreme caution. Setting these DWORD values to 1 enables TLS 1.0 and 1.1 for TLS clients and servers.

How do I turn off TLS 1.0 and 1.1 registry? ›

Create a key named "TLS 1.1" with two DWORDs for both TLS 1.0 & 1.1: "DisabledByDefault=1" & "Enabled=0". Similarly, create a key named "TLS 1.0" with two DWORDs for each protocol, "DisabledByDefault=1" & "Enabled=0".

How do I fix TLS certificate error? ›

How to Solve the Invalid SSL /TLS Certificate Error
  1. Check the date on your computer. First of all you should check if the date and time on your computer is correct. ...
  2. Check for configuration errors. ...
  3. Check for domain mismatch. ...
  4. Get your certificate from a reliable CA. ...
  5. Check the certificate structure. ...
  6. Check for revocation.
Apr 21, 2024

What problems does TLS solve? ›

TLS encryption can help protect web applications from data breaches and other attacks. Today, TLS-protected HTTPS is a standard practice for websites. The Google Chrome browser gradually cracked down on non-HTTPS sites, and other browsers have followed suit.

How can I make my TLS more secure? ›

Secure a TLS configuration​
  1. Opt-in for the latest SSL/TLS protocol. ...
  2. Check if you have any intermediate certificates. ...
  3. Ensure that your certificate applies to all of your hostnames.
  4. Use TLS implementations with AES cipher** variants rather than older versions with weak ciphers like DES.
Aug 2, 2024

How do I check my TLS settings? ›

Click Start or press the Windows key. In the Start menu, either in the Run box or the Search box, type regedit and press Enter. The Registry Editor window should open and look similar to the example shown below. Check the subkeys for each SSL/TLS version for both server and client.

Top Articles
10 Things I Stopped Buying To Save Money
13 Ways To Save Money On A Tight Budget | Bankrate
Gamevault Agent
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Free Atm For Emerald Card Near Me
Craigslist Mexico Cancun
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Doby's Funeral Home Obituaries
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Select Truck Greensboro
How To Cut Eelgrass Grounded
Craigslist In Flagstaff
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
Aaa Saugus Ma Appointment
Geometry Review Quiz 5 Answer Key
Walgreens Alma School And Dynamite
Bible Gateway passage: Revelation 3 - New Living Translation
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Dmv In Anoka
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Umn Biology
Obituaries, 2001 | El Paso County, TXGenWeb
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Rogold Extension
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Colin Donnell Lpsg
Weekly Math Review Q4 3
Facebook Marketplace Marrero La Reddit
Topos De Bolos Engraçados
Electric Toothbrush Feature Crossword
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hampton In And Suites Near Me
Stoughton Commuter Rail Schedule
Bedbathandbeyond Flemington Nj
Free Carnival-themed Google Slides & PowerPoint templates
Otter Bustr
Used Curio Cabinets For Sale Near Me
San Pedro Sula To Miami Google Flights
Selly Medaline
Latest Posts
Article information

Author: Tuan Roob DDS

Last Updated:

Views: 5821

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Tuan Roob DDS

Birthday: 1999-11-20

Address: Suite 592 642 Pfannerstill Island, South Keila, LA 74970-3076

Phone: +9617721773649

Job: Marketing Producer

Hobby: Skydiving, Flag Football, Knitting, Running, Lego building, Hunting, Juggling

Introduction: My name is Tuan Roob DDS, I am a friendly, good, energetic, faithful, fantastic, gentle, enchanting person who loves writing and wants to share my knowledge and understanding with you.