Windows Server 2008 R2 seems to support TLS 1.1 and 1.2 but they are disabled by default.
Why are they disabled by default?
Do they have any drawbacks?
iis-7.5windows-server-2008-r2
Windows Server 2008 R2 seems to support TLS 1.1 and 1.2 but they are disabled by default.
Why are they disabled by default?
Do they have any drawbacks?
Best Answer
Server 2008 R2/Windows 7 introduced TLS 1.1 and TLS 1.2 support for Windows, and was released prior to the attacks that made TLS 1.0 vulnerable, so it's probably just a matter of TLS 1.0 being the default because it was the most widely used TLS version at the time Server 2008 R2 was released (July, 2009).
Not sure how you'd know for sure, or find out "why" a design decision was made, but given that Windows 7 and Server 2008 R2 introduced the feature to the Windows family, and Windows Server 2012 uses TLS 1.2 by default, it would seem to suggest it was a matter of "the way things were done" at the time. TLS 1.0 was still "good enough," so it was the default, but TLS 1.1 and 1.2 were supported for forward-support and forward-operability.
This technet blog from a Microsoft employee recommends enabling the newer versions of TLS and also notes that (as of October 2011):
That further supports the idea that newer TLS versions weren't enabled by default in Server 2008 R2 for the simple reason that they were newer and not widely supported or used at the time - Apache and OpenSSL didn't even support them yet, let alone use them as default.
Details on precisely how to enable and disable the various SSL/TLS versions can be found in the Microsoft KB article number 245030, titled
How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
. Obviously, theClient
keys control Internet Explorer, and theServer
keys cover IIS.