Enabling TLS 1.3 Support and Blocking Weak Ciphers on CxManager
Notice
TLS 1.1 is being phased out for all major browsers, such as Chrome, Firefox, Safari, and Edge.
Please be aware that CxSAST v9.6. and v9.7 supports TLS 1.3 via the browser and command line but not via a remote database.
TLS (Transport Layer Security) and its now-deprecated predecessor, SSL (Secure Sockets Layer), are cryptographic protocols designed to provide communications security over a computer network. Websites can use TLS to secure all communications between their servers and web browsers. The TLS protocol aims to provide privacy and data integrity between two or more computer applications.
Sensitive data such as user credentials and credit card information must be protected when transmitted over the network, and the ciphers in use during secure communications via SSL and TLS 1.1 are too weak. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission. Even if high-grade ciphers are supported and used today, some misconfiguration in the server may force users of a weak cipher or no encryption to grant access to the supposedly secure communication channel.
Enabling TLS 1.3 Support
Support for TLS 1.3 can be enabled via the Windows registry on the CxManager host. As explained below, TLS 1.3 can be enabled manually or automatically from the CxManager host.
Notice
TLS 1.3 requires SQL Server 2022 (16.X) or higher. TLS 1.3 is compatible with Windows 11 and Win Server 2022. Older SQL server versions and Windows operating systems do not support TLS 1.3.
It is strongly recommended to disable weak ciphers. The relevant ciphers are listed at the end of this document.
Enabling TLS 1.3 Automatically
1. Download the attached TLS 1.3 .reg to the CxManager desktop.
2. Right-click (on Windows 10 and 11, select More Options), and select Merge.
3. Restart the server.
Enabling TLS 1.3 Manually
1. Start the Registry editor: Enter regedit in the Windows search field. The Registry Editor appears.
In the Registry Editor, browse to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319 folder.
Right-click inside the right pane and create a new DWORD (32-bit) Value. Rename the DWORD to SchUseStrongCrypto. Set the value to 1. To set the value to 1, right-click Enabled, select Modify... from the shortcut menu, Value Data, and change the value to 1.
Right-click inside the right pane and create a new DWORD (32-bit) Value. Rename the DWORD to SystemDefaultTlsVersions. Set the value to 1. To set the value to 1, right-click Enabled, select Modify... from the shortcut menu, Value Data, and change the value to 1.
In the Registry Editor, browse to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319 folder.
Repeat steps 2 and 3 above.
In the Registry Editor, browse to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727 folder.
Right-click inside the right pane and create a new DWORD (32-bit) Value. Rename the DWORD to SchUseStrongCrypto. Set the value to 1. To set the value to 1, right-click Enabled, select Modify... from the shortcut menu, Value Data, and change the value to 1.
Right-click inside the right pane and create a new DWORD (32-bit) Value. Rename the DWORD to SystemDefaultTlsVersions. Set the value to 1. To set the value to 1, right-click Enabled, select Modify... from the shortcut menu, Value Data, and change the value to 1.
In the Registry Editor, browse to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v2.0.50727 folder.
Repeat steps 2 and 3 above.
Restart the server.
Disabling Weak Ciphers
Contact your administrators or IT personnel to disable the below ciphers.