1

After you create a website in Internet Information Services (IIS) Manager, in the config file in the path below,

C:\Windows\System32\inetsrv\config\applicationHost.config

You can modify the following value like this in the specific website section,

<binding protocol="https" bindingInformation="*:443:" sslFlags = "32" />

What this does is checks the checkbox called Disable TLS 1.3 over TCP in Bindings. Although this change in the config file checks the checkbox, it does not apply the settings because the website isn't loading. However, if you manually check the Disable TLS 1.3 over TCPcheckbox, then it works. What is the issue here?

I am going to create a website using an installer to automate the process. But, in Windows Server 2022, it is not loading the website unless Disable TLS 1.3 over TCPcheckbox is checked.

So, I am looking ways to check Disable TLS 1.3 over TCPcheckbox using code. But, I need to know why just changing in the config file did not work. I even restarted the website.

Improve this question
4
  • You should figure out why you can't have TLS 1.3 enabled. TLS 1.0 and 1.1 have already been deprecated, and TLS 1.2 will be deprecated in the next few years. You're just delaying the problem.
    – LPChip
    Commented Oct 24, 2023 at 6:35
  • Also: vertexcybersecurity.com.au/tls1-2-end-of-life
    – LPChip
    Commented Oct 24, 2023 at 8:44
  • The website is working fine in Windows Servers 2016 and 2019. But in 2022, it only works if TLS 1.3 is disabled.
    – Codename K
    Commented Oct 25, 2023 at 8:05
  • So again, you should try to find out why the website doesn't work with TLS 1.3 enabled on Windows server 2022.
    – LPChip
    Commented Oct 25, 2023 at 16:59

1 Answer 1

Reset to default
1

In addition to the sslFlags attribute you noticed, it appears IIS also sets a registry key when checking that box:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443]
"DefaultFlags"=dword:00000040

If your SSL binding uses a different port number, you will need to adjust the registry key to match. I also needed to reboot Windows before IIS seemed to notice the registry key change.

Regarding LPChip's comments, I needed to disable TLS 1.3, because my application uses client certificate authentication, and Chrome based browsers do not support post-handshake authentication.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .