0

Using Windows 11, no server or IIS, just want to disable old TLS versions of my personal computer so no connection over those versions can be made, even if that means some connections will fail.

I want to completely disable TLS v1, TLS v1.1 and TLS v1.2.

I tried the Internet options advanced settings, but they have no effect on anything as far as I can tell, and I don't know why they are even there.

all the articles I read online is either about Windows Server or IIS.

I'm using Microsoft Edge browser.

I want to disable those old TLS versions in a way that I don't see any TLS connection other than TLS v1.3 in Wireshark.

Improve this question
7
  • 1
    I'm not sure why you want to do this, but note that TLS 1.2 is not considered insecure (assuming the right ciphers are used).
    – Steffen Ullrich
    Commented Nov 12, 2022 at 12:19
  • Hi, for TLS 1.2 I mainly want to test how I will be affected if I disable it and make it permanent if it doesn't break important parts of the OS but definitely want to disable TLS 1 and TLS 1.1 permanently no matter what.
    – user1737559
    Commented Nov 12, 2022 at 12:25
  • 2
    I think most sites are still on 1.2 - I tried setting my site 1.3 only and it broke in some platforms
    – Journeyman Geek
    Commented Nov 12, 2022 at 12:28
  • 1
    Does Disable Enable TLS 1.0 And 1.1 For Internet Explorer EdgeHTML HTMD Blog answer your question?
    – DavidPostill
    Commented Nov 12, 2022 at 12:34
  • 1
    Was android client apps for things strangely enough.
    – Journeyman Geek
    Commented Nov 12, 2022 at 12:42

1 Answer 1

Reset to default
0

This still doesn't fully satisfy my needs and it's incomplete, there are valuable info in the comments section down below, if you have better answer please post them.

So far only found a way to disable the TLS versions in browser, but still not system wide, I still see connections being made over insecure TLS v1 and TLS v1.1 from time to time in Wireshark with no way to block them, mostly initiated by programs I installed.

For Microsoft Edge, TLS v1 and TLS v1.1 are already disabled by default, in order to disable TLS v1.2, run this in an elevated PowerShell:

$RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\'  
$Name         = '1'  
$Value        = '0xC02B' 
If (-NOT (Test-Path $RegistryPath)) {   New-Item -Path $RegistryPath -Force | Out-Null } 
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType string -Force


$RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\'  
$Name         = '2'  
$Value        = '0xC02F' 
If (-NOT (Test-Path $RegistryPath)) {   New-Item -Path $RegistryPath -Force | Out-Null } 
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType string -Force



$RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\'  
$Name         = '3'  
$Value        = '0xC02C' 
If (-NOT (Test-Path $RegistryPath)) {   New-Item -Path $RegistryPath -Force | Out-Null } 
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType string -Force


$RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\'  
$Name         = '4'  
$Value        = '0xC030' 
If (-NOT (Test-Path $RegistryPath)) {   New-Item -Path $RegistryPath -Force | Out-Null } 
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType string -Force


$RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\'  
$Name         = '5'  
$Value        = '0xCCA9' 
If (-NOT (Test-Path $RegistryPath)) {   New-Item -Path $RegistryPath -Force | Out-Null } 
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType string -Force


$RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\'  
$Name         = '6'  
$Value        = '0xCCA8' 
If (-NOT (Test-Path $RegistryPath)) {   New-Item -Path $RegistryPath -Force | Out-Null } 
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType string -Force


$RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\'  
$Name         = '7'  
$Value        = '0x009E' 
If (-NOT (Test-Path $RegistryPath)) {   New-Item -Path $RegistryPath -Force | Out-Null } 
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType string -Force



$RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList\'  
$Name         = '8'  
$Value        = '0x009F' 
If (-NOT (Test-Path $RegistryPath)) {   New-Item -Path $RegistryPath -Force | Out-Null } 
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType string -Force

Used these 2 resources: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#tlsciphersuitedenylist

https://wiki.mozilla.org/Security/Server_Side_TLS

Still looking for a way to do the same for the entire OS.

UPDATE: in Windows, disabled all cipher suits and only kept those that belong to TLS v1.3

disable-TlsCipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
disable-TlsCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
disable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
disable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
disable-TlsCipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
disable-TlsCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
disable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
disable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


disable-TlsCipherSuite TLS_RSA_WITH_AES_256_CBC_SHA
disable-TlsCipherSuite TLS_RSA_WITH_AES_128_CBC_SHA
disable-TlsCipherSuite TLS_RSA_WITH_NULL_SHA256
disable-TlsCipherSuite TLS_RSA_WITH_NULL_SHA
disable-TlsCipherSuite TLS_PSK_WITH_AES_256_GCM_SHA384
disable-TlsCipherSuite TLS_PSK_WITH_AES_128_GCM_SHA256
disable-TlsCipherSuite TLS_PSK_WITH_AES_256_CBC_SHA384
disable-TlsCipherSuite TLS_PSK_WITH_AES_128_CBC_SHA256
disable-TlsCipherSuite TLS_PSK_WITH_NULL_SHA384
disable-TlsCipherSuite TLS_PSK_WITH_NULL_SHA256


disable-TlsCipherSuite TLS_RSA_WITH_AES_128_CBC_SHA256
disable-TlsCipherSuite TLS_RSA_WITH_AES_256_CBC_SHA256
disable-TlsCipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256
disable-TlsCipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384
disable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
disable-TlsCipherSuite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
disable-TlsCipherSuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
disable-TlsCipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
disable-TlsCipherSuite TLS_AES_128_GCM_SHA256
disable-TlsCipherSuite TLS_AES_256_GCM_SHA384



Enable-TlsCipherSuite TLS_AES_128_GCM_SHA256
Enable-TlsCipherSuite TLS_AES_256_GCM_SHA384
# Added in Windows 11 https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11
Enable-TlsCipherSuite TLS_CHACHA20_POLY1305_SHA256

This caused some websites that supported both TLS 1.3 and 1.2 use 1.3 instead, prior to this change they kept using 1.2.

in Wireshark though, this didn't stop TLS 1.1 and 1.2 from showing up, but their cipher suits are being enforced correctly, which is weird for me because I thought cipher suits used by TLS v1.3 can't be used by older TLS versions.

Improve this answer
8
  • 1
    That only disables them for Edge, Chrome and Firefox, could still use them. Additionally, there isn’t a way to prevent an application, from using say TLS 1.2 if there’s no option within the application settings
    – Ramhound
    Commented Nov 12, 2022 at 14:02
  • @Ramhound I made more progress but need some info if you could provide please, seems like it's not as easy as specifying a TLS version and that gets automatically disabled, but we have the ability to disable cipher suits that are used by TLS. learn.microsoft.com/en-us/powershell/module/tls/… so even though wiki.mozilla.org/Security/Server_Side_TLS mentions only 3 cipher suits for TLS 1.3 and doesn't say older TLS versions can utilize them, I see in Wireshark that TLS 1.2 and 1.1 are using them! any idea?
    – user1737559
    Commented Nov 12, 2022 at 15:03
  • 1
    @Ramhound+ rather, registry and posh settings only affect things that use schannel: that includes Edge and IIS, and posh and vbscript(!), I'd expect but can't verify Outlook, the curl.exe supplied by Microsoft, and some more as noted by OP, but not Chrome, Firefox, other programs that use portable stacks like Java nodejs python php, and anything in wsl.
    – dave_thompson_085
    Commented Nov 13, 2022 at 3:58
  • 1
    OP: there are actually 5 ciphersuites in 1.3, but Mozilla only recommends and Win11 only implements 3; they are indeed unusable in lower protocols and the lower suites unusable in 1.3, but a 1.3-capable client can, and all I know of at present do, offer in the ClientHello both 1.3 and at least 1.2 (sometimes lower) with a ciphersuite list that includes both types; it is the ServerHello, only, that must select one version and one ciphersuite compatible with it.
    – dave_thompson_085
    Commented Nov 13, 2022 at 4:00
  • 1
    See en.wikipedia.org/wiki/… for a start. OpenSSL/SSLeay (plus forks LibreSSL and BoringSSL), NSS and GnuTLS are written in C, and JSSE and BouncyCastle in Java, and are widely available and used on at least all Linux (usually other Unix also) and Windows. MbedTLS/PolarSSL Wolf/CyaSSL and BearSSL (omitted from wikipedia but its author Thomas Pornin is a big contributor to crypto.SX and security.SX) are also portable but less widely used. There are others that you probably won't encounter.
    – dave_thompson_085
    Commented Nov 15, 2022 at 5:05

You must log in to answer this question.