Enabling TLS 1.2 Support and Blocking Weak Ciphers on CxManager
Notice
TLS 1.1 is being phased out for all major browsers such as Chrome, Firefox, Safari, and Edge.
TLS (Transport Layer Security) and its now-deprecated predecessor, SSL (Secure Sockets Layer) are cryptographic protocols designed to provide communications security over a computer network. Websites can use TLS to secure all communications between their servers and web browsers. The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.
Sensitive data such as user credentials and credit card information must be protected when it is transmitted over the network and the ciphers in use during secure communications via SSL and TLS 1.1 are too weak. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission. Even if high-grade ciphers are supported and used today, some misconfiguration in the server may force users of a weak cipher or no encryption at all to grant access to the supposedly secure communication channel.
Enabling TLS 1.2 Support
Support for TLS 1.2 can be enabled via the Windows registry on the CxManager host. TLS 1.2 can be enabled manually or automatically from the CxManager host as explained below.
Notice
TLS 1.2 requires SQL Server 11.0.5388.0 or higher. Older SQL server versions do not support TLS 1.2.
It is strongly recommended to disable weak ciphers. The relevant ciphers are listed at the end of this document.
Enabling TLS 1.2 Automatically
1. Download the attached registry file (TLS1.2.reg) to the CxManager desktop.
2. Right-click and select Merge.
3. Restart the server.
Enabling TLS 1.2 Manually
1. Start the Registry editor. To do so, enter regedit in the Windows search field. The Registry Editor appears.
In the Registry Editor, browse to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsRight-click the
Protocols folder, select New | Key. Rename this key/folder
TLS 1.2.
Right-click the
TLS 1.2 key/folder and select New | Key again. Rename this key/folder
Client.
Right-click the
Client key/folder and select New | DWORD (32-bit) Value. Rename the DWORD to
DisabledByDefault and make sure that the value is set to 0 as illustrated below.
Right-click the
Client key/folder and select New | DWORD (32-bit) Value. Rename the DWORD to
Enabled. Set the value to 1.
To set the value to 1, right-click
Enabled, select Modify... from the shortcut menu, and under Value Data, change the value to 1.
In the Registry Editor, browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319
Right-click inside the right pane and create a new DWORD (32-bit) Value. Rename the DWORD to
SchUseStrongCrypto. Set the value to 1.
To set the value to 1, right-click
Enabled, select Modify... from the shortcut menu, and under Value Data, change the value to 1.
In the Registry Editor, browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319
Repeat step 3.b.
2. Restart the server.
Disabling Weak Ciphers
Contact your administrators or IT personnel to disable the relevant ciphers.