Unable to reach server (streamer) because of TLS 1.0 support disabled

Follow

TLS Scenario

To achieve PCI compliance, some users might use the tool (such as IISCrypto) to allow only TLS 1.1 and 1.2 traffic by disabling TLS 1.0 support on their computers. In such a case, you might encounter the unable to reach server error on Windows 7 and Server 2008 computers.  The default setting for these OS versions is is TLS 1.0.

 

How to enable TLS 1.1?

1. Register TLS 1.1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

2. Configure TLS 1.1 to be used for WinHTTP by default

For 32-bit Windows 7/Server 2008

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000200

For 64-bit Windows 7/Server 2008

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
"DefaultSecureProtocols"=dword:00000200

 

Note:

Windows XP uses SSL v3 by default for WinHTTP.  Windows 8 or later uses TLS 1.1 for WinHTTP by default.

Have more questions? Submit a request

Comments

  • Avatar
    Cdoyle

    After applying the IISCrypto PCI3.1 template, but unchecking MD5 and SHA hash settings, i could no longer reach the Splashtop machine.

    Went through and added the above Registry settings, and after a reboot still cannot access the splashtop endpoint...

    Is there any relation with the MD5 or SHA?

    SHA1 was throwing an issue for PCI compliance, just wondering what all components are needed to still utilize Splashtop for remote access, while securing the RDP Protocol at the same stride...

    Thank you in advance for your advise!!

  • Avatar
    Cdoyle

    Here are my findings,

    Win 7 x64 client updates as of today 6-28-17
    Splashtop streamer 3.1.4.1

    IISCrypto applied PCI3.1 works (after applying the OP reg patches), but not with SHA disabled...

    Our PCI Scan findings:

    ***
    This finding indicates that the SHA-1 Hashing Algorithm has been
    detected in your SSL/TLS certificate during your scan.
    This algorithm has known security weaknesses that can be exploited by
    attackers. The PCI Security Standards Council (PCI SSC) has banned
    use of the SHA-1 hashing algorithm for code signing for browser-based
    connections in PCI compliant environments.

    Certificate Chain Depth: 0
    Certificate Signature Algorithm: sha1WithRSAEncryption

    Remediation:
    All certificates should be updated to use a secure hash function such as
    SHA-2 or greater in its signature algorithm.
    Please note the port associated with this finding, as this finding may
    NOT be originating from port 443, which most online testing tools test
    by default. Please see the reference below for assistance in migrating a
    Certificate Authority Key from a Cryptographic Service Provider (CSP)
    to a Key Storage Provider (KSP).
    **NOTE:** Sufficient planning and testing of ALL operating systems,
    devices, and applications that currently use internal certificates within
    your enterprise should be taken to ensure that they support SHA2
    algorithms.***

    It seems to me that the default RDP protocol is using SHA, as is SPlashtop. We need to be able to clear the SHA hash from usage to pass PCI scan.

    Can we configure Splashtop Streamer to use SHA256 or other instead of SHA?

    Thank you in advance!!

    See here page 2 for PCI recommendation for TLS1.2 being desired encryption to remain PCI compliant.
    https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information_Supplement_v1.pdf

  • Avatar
    Support

    @Cdoyle,

    Thanks for the report.

    Our endpoints and servers should already apply SHA 256, so it is expected that it couldn't work with SHA disabled.

    Can we know how did you scan and find that it is SHA-1 hash algorithm we are using?

    Thank you,
    Vans