Ssl – Disable TLS 1.3 on IIS

iisssl

After July 2020 Windows update, a IIS hosted website started using TLS 1.3 when I need it to be TLS 1.2 for inbound SSL inspection to avoid ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors. How can I disable TLS 1.3?

Best Answer

A Microsoft article on Transport Layer Security (TLS) registry settings describes how this is done for SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, DTLS 1.0 and DTLS 1.2. There's no reason to believe this would be done any other way for TLS 1.3, although not yet documented.

It's also worth mentioning you'd only create keys to change the defaults from Protocols in TLS/SSL (Schannel SSP) – that explains why those keys don't exist by default.

Disable TLS 1.3 as server protocol

Managing SSL/TLS Protocols and Cipher Suites for AD FS lists the actual registry keys better and also has PowerShell examples. The following is modified from there.

...using .reg file (Registry Editor):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

...using PowerShell:

New-Item `
   'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' `
   -Force | Out-Null
    
New-ItemProperty `
   -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' `
   -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null
    
New-ItemProperty `
   -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' `
   -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Best Answer

Disable TLS 1.3 as server protocol

Related Solutions

Disable TLS 1.0 – How to Disable TLS 1.0 Without Breaking RDP

Ssl – How to disable TLS 1.0 without breaking RemoteApps on server 2012 R2

Related Topic