Introduction
This article describes an update to add support for Transport Layer Security (TLS)1.1 and TLS 1.2 in Windows Embedded Compact 7.
Before you install this update, all previously issued updates for this product must be installed.
Summary
Enable TLS 1.1 and TLS 1.2
By default, TLS1.1 and TLS 1.2 are enabled when the Windows Embedded Compact 7-based device is configured as a client by using browser settings. The protocols are disabled when the Windows Embedded Compact 7-based device is configured as a web server.
You can use the following registry keys to enable or disable TLS 1.1 and TLS 1.2.
TLS 1.1
The following subkey controls the use of TLS 1.1:
HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\TLS 1.1
To disable the TLS 1.1 protocol, you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1. By default, this entry does not exist in the registry.
Note To enable and negotiate TLS 1.1, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.
TLS 1.2
The following subkey controls the use of TLS 1.2:
HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
To disable the TLS 1.2 protocol, you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1. By default, this entry does not exist in the registry.
Note To enable and negotiate TLS 1.2, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.
Additional notes
-
The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure that contains the data for an Schannel credential.
-
Per the Request for Comments (RFC), the design implementation does not allow SSL2 and TLS 1.2 to be enabled at the same time.
More Information
Please read the following sections for additional details about TLS 1.1 and 1.2.
Cipher Suites supported by TLS 1.2 only
The following newly added cipher suites are supported by TLS 1.2 only:
-
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
-
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
-
TLS_RSA_WITH_NULL_SHA256
-
TLS_RSA_WITH_AES_128_CBC_SHA256
-
TLS_RSA_WITH_AES_256_CBC_SHA256
-
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
-
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SCHANNEL_CREDhttps://docs.microsoft.com/en-us/previous-versions/windows/embedded/ee498356(v=winembedded.70)
grbitEnabledProtocols
(Optional) This DWORD contains a bit string that represents protocols that have the following condition:
-
Supportedby connections that are made by having credentials that are acquired by using this structure
The following table shows the additional possible flags that themember can contain.
| Value | Description |
| SP_PROT_TLS1_2_CLIENT | Transport Layer Security 1.2 client-side. |
| SP_PROT_TLS1_2_SERVER | Transport Layer Security 1.2 server-side |
| SP_PROT_TLS1_1_CLIENT | Transport Layer Security 1.1 client-side. |
| SP_PROT_TLS1_1_SERVER | Transport Layer Security 1.1 server-side |
SecBuffer
BufferType
This set of bit flags indicates the type of buffer. The following table shows the additional available flags for TLS 1.2.
| Flag | Description |
| SECBUFFER_ALERT | The buffer contains an alert message. |
SecPkgContext_ConnectionInfo
dwProtocol
This designates the protocol that is used to establish this connection. The following table shows additional valid constants for this member.
| Value | Description |
| SP_PROT_TLS1_2_CLIENT | Transport Layer Security 1.2 client-side. |
| SP_PROT_TLS1_2_SERVER | Transport Layer Security 1.2 server-side |
| SP_PROT_TLS1_1_CLIENT | Transport Layer Security 1.1 client-side. |
| SP_PROT_TLS1_1_SERVER | Transport Layer Security 1.1 server-side |
aiCipher
This is the algorithm identifier (ALG_ID) for the bulk encryption cipher that is used by this connection. The following table shows the additional valid constants for this member.
| Value | Description |
| CALG_AES_256 | AES 256-bit encryption algorithm |
| CALG_AES_128 | AES 128-bit encryption algorithm |
| CALG_3DES | 3DES block encryption algorithm |
SecPkgContext_SupportedSignatures
structure
This specifies the signature algorithms that are supported by an Schannel connection.
Syntax (C++)
typedef struct _SecPkgContext_SupportedSignatures { WORD cSignatureAndHashAlgorithms; WORD *pSignatureAndHashAlgorithms;} SecPkgContext_SupportedSignatures, *PSecPkgContext_SupportedSignatures;
Members
-
cSignatureAndHashAlgorithms
This is the number of elements in the pSignatureAndHashAlgorithms array.
-
pSignatureAndHashAlgorithms
This is an array of values that specify the supported algorithms.
The upper byte can be one of the following values that specifies a signature algorithm.
Value
Meaning
Anonymous signature algorithm
1
The RSA signature algorithm
2
The DSA signature algorithm
3
The ECDSA signature algorithm
255
Reserved
The lower byte can be one of the following values that specifies a hash algorithm.Value
Meaning
None
1
The MD5 hash algorithm
2
The SHA1 hash algorithm
3
The SHA-224 hash algorithm
4
The SHA-256 hash algorithm
5
The SHA-384 hash algorithm
6
The SHA-512 hash algorithm
255
Reserved
Requirements
Header
Schannel.h
QueryContextAttributes
This function enables a transport application to query a security package for certain attributes of a security context.
ulAttribute
This is a pointer to a buffer that containsattributes of the context that is to be retrieved. The following table shows the possible values.
| Value | Description |
| SECPKG_ATTR_SUPPORTED_SIGNATURES | This value returns information about the signature types that are supported for the connection. The pBuffer parameter contains a pointer to a SecPkgContext_SupportedSignatures structure. |
UI Sample Browser Registry Settings
The following table shows the settings that register the Internet and operating settings in the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
| Name | Type | Description | Default value |
| SecureProtocols | REG_BINARY | 00,02,00,00 (enables TLS 1.1 only) 00,08,00,00 (enables TLS 1.2 only) You can also set this key as REG_DWORD "0AA8" to enable all protocols. | A0,0A,00,00(enables all protocols, except SSL2) |
Software update information
Download information
The Windows Embedded Compact 7 Monthly Update (March2018) is now available from Microsoft. To download the update, go to theDevice Partner Center (DPC).
Prerequisites
This update is supported only if all previously issued updates for this product have also been installed.
Restart requirement
After you apply this update, you must perform a clean build of the whole platform. To do this, use one of the following methods:
-
On the Build menu, selectClean Solution, and then selectBuild Solution.
-
On the Build menu, selectRebuild Solution.
You do not have to restart the computer after you apply this software update.
Update replacement information
This update does not replace any other updates.
References
Learn about the terminology that Microsoft uses to describe software updates.
