TLS Scenario
To achieve PCI compliance, some users might use the tool (such as IISCrypto) to allow only TLS 1.1 and 1.2 traffic by disabling TLS 1.0 support on their computers. In such a case, you might encounter the unable to reach server error on Windows 7 and Server 2008 computers. The default setting for these OS versions is TLS 1.0.
How to enable TLS 1.1?
1. Register TLS 1.1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
2. Configure TLS 1.1 to be used for WinHTTP by default
For 32-bit Windows 7/Server 2008
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000200
For 64-bit Windows 7/Server 2008
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000200
3. For TLS 1.2, use dword:00000800, instead for Step 2
Note:
Windows XP uses SSL v3 by default for WinHTTP. Windows 8 or later uses TLS 1.1 for WinHTTP by default.
Reference Article: