IIS Crypto... What is the point of "Client" settings?

SarahC

Beta member
Messages
1
Location
UK
There's registry keys that IIS Crypto changes that are for the server AND the client.

If I set the server side to only accept TLS 1.2, what effect does ticking/unticking the client ciphers have?

What I don't get is - if the server's set to use TLS 1.2 at the lowest for "Server", and the server's "Client" settings are TLS 1.1, and TLS 1.0... what on earth would that do with the handshake?

Does that mean the server only replies using TLS 1.2, but the client can talk to the server with TLS 1.1, and TLS 1.0? :omg: :silent:
 
Hey Sarah.

If you set server to use TLS 1.2 only, then it will only make outbound connections on TLS 1.2 and accept inbound connections on TLS 1.2

Therefore, if a client is set to 1.0, 1.1 and 1.2 , it may try all 3 (depending on the application support) until the DST server accept one (being TLS 1.2)

You need to do alot of testing if you want to disable SSL/TLS as some apps may not support TLS 1.2 yet.
 
Hey Sarah.

If you set server to use TLS 1.2 only, then it will only make outbound connections on TLS 1.2 and accept inbound connections on TLS 1.2

Therefore, if a client is set to 1.0, 1.1 and 1.2 , it may try all 3 (depending on the application support) until the DST server accept one (being TLS 1.2)

You need to do alot of testing if you want to disable SSL/TLS as some apps may not support TLS 1.2 yet.

Pretty much this.

The company I work at recently switched servers to only TLS 1.2, and we've been having to update older applications that broke because of it; they did not support TLS 1.2, so we had to add support to them.
 
The company I work at recently switched servers to only TLS 1.2, and we've been having to update older applications that broke because of it; they did not support TLS 1.2, so we had to add support to them.

This was the story of my life end of last year - one of the bigger products we support (Thales/Gemalto Safenet Trusted Access) went TLS-1.2-only, and we had dozens of P1 cases raised as customers (who had ignored emails for months and months about the switch) suddenly had their 2FA solution fail.

We'd expected the same when Microsoft were set to disallow plaintext queries to Active Directory, as they are used for user identification and authentication on firewall products like Palo Alto and Fortinet, but nothing ever really came of it.
 
Back
Top Bottom