Configure TLS 1.2 force usage
Introduction
Section titled “Introduction”For security reasons, it is recommended. To force your CI installation, to use only TLS 1.2.
Since Capainstaller services communicate internally. You need to ensure that Client setting, for secure protocol communication, also are set.
Making these changes require Reboot.
Section titled “Making these changes require Reboot.”Server settings Compatible with Microsoft windows server 2012R2, 2016 and 2019.
Section titled “Server settings Compatible with Microsoft windows server 2012R2, 2016 and 2019.”To force your server to use TLS 1.2. You need to prepare your server. with the following registry keys. After setting these keys, your server needs to be rebooted.
Step 1 : Disable all legacy protocols in schannel protocol. For both Server and client communication
Registry settings
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]"DisabledByDefault"=dword:00000001"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]"DisabledByDefault"=dword:00000001"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]"DisabledByDefault"=dword:00000001"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]"DisabledByDefault"=dword:00000001"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]"DisabledByDefault"=dword:00000001"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]"DisabledByDefault"=dword:00000001"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]"DisabledByDefault"=dword:00000001"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]"DisabledByDefault"=dword:00000001"Enabled"=dword:00000000Step 2 : Force .net Framework to only use strong encryption
Registry settings
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]"SystemDefaultTlsVersions"=dword:00000001"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]"SystemDefaultTlsVersions"=dword:00000001"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]"SystemDefaultTlsVersions"=dword:00000001"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SystemDefaultTlsVersions"=dword:00000001"SchUseStrongCrypto"=dword:00000001Download registry file, to configure all above.