Jaa


Windows 7 adds support for TLSv1.1 and TLSv1.2

Windows 7's updated crypto stack (schannel.dll, etc) offers support for TLSv1.1 and TLSv1.2.  While disabled by default in IE8 (for compatibility reasons; some legacy sites will fail to connect when the updated TLS version is offered) the new protocol versions can be enabled by checking the appropriate boxes at the bottom of Tools / Internet Options / Advanced.  Of course, the protocols and ciphers can also be controlled via Group Policy.

By default, on all platforms, IE8/WinINET is configured with TLSv1 and SSLv3 enabled. 

One interesting caveat arises due to a clause in the TLSv1.2 specification. If TLSv1.2 is enabled, even if you have manually enabled SSLv2 (it's been off-by-default since IE7), the SSLv3+ format handshake will be used.  In practice, this means that it will be impossible to connect to any server which requires SSLv2 if TLSv1.2 is enabled.  (We're not aware of any sites for which this will cause a problem, but it's interesting anyway.)

Using Fiddler to examine the HTTPS traffic from IE on Windows 7, you can see the following protocols offered in each of the described configurations:

Configuration: IE8+Win7, Enable TLS1.2+1.1+1.0 & SSL3

Major Version: 3

Minor Version: 3

Ciphers:

                [003C] TLS_RSA_WITH_AES_128_CBC_SHA256

                [002F] TLS_RSA_AES_128_SHA

                [003D] TLS_RSA_WITH_AES_256_CBC_SHA256

                [0035] TLS_RSA_AES_256_SHA

                [0005] SSL_RSA_WITH_RC4_128_SHA

                [000A] SSL_RSA_WITH_3DES_EDE_SHA

                [C027] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

                [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA

                [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA

                [C02B] TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

                [C023] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

                [C02C] TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

                [C024] TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

                [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

                [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

                [0040] TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

                [0032] TLS_DHE_DSS_WITH_AES_128_SHA

                [006A] TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

                [0038] TLS_DHE_DSS_WITH_AES_256_SHA

                [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

                [0004] SSL_RSA_WITH_RC4_128_MD5

Configuration: IE8+Win7, Enable TLS1.1+1.0 & SSL3

Major Version: 3

Minor Version: 2

Ciphers:

                [002F] TLS_RSA_AES_128_SHA

                [0035] TLS_RSA_AES_256_SHA

                [0005] SSL_RSA_WITH_RC4_128_SHA

                [000A] SSL_RSA_WITH_3DES_EDE_SHA

                [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA

                [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA

                [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

                [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

                [0032] TLS_DHE_DSS_WITH_AES_128_SHA

                [0038] TLS_DHE_DSS_WITH_AES_256_SHA

                [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

                [0004] SSL_RSA_WITH_RC4_128_MD5

Configuration: IE8+Win7, Enable TLS1.2+1.1+1.0 & SSL3 but if the server immediately drops the connection, WinINET will retry using TLSv1.

Major Version: 3

Minor Version: 1

Ciphers:

                [002F] TLS_RSA_AES_128_SHA

                [0035] TLS_RSA_AES_256_SHA

                [0005] SSL_RSA_WITH_RC4_128_SHA

                [000A] SSL_RSA_WITH_3DES_EDE_SHA

                [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA

                [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA

                [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

                [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

                [0032] TLS_DHE_DSS_WITH_AES_128_SHA

                [0038] TLS_DHE_DSS_WITH_AES_256_SHA

                [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

                [0004] SSL_RSA_WITH_RC4_128_MD5

Configuration: IE8+Win7, Enable TLS1.0 & SSL3

Major Version: 3

Minor Version: 1

Ciphers:

                [002F] TLS_RSA_AES_128_SHA

                [0035] TLS_RSA_AES_256_SHA

                [0005] SSL_RSA_WITH_RC4_128_SHA

                [000A] SSL_RSA_WITH_3DES_EDE_SHA

                [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA

                [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA

                [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

                [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

                [0032] TLS_DHE_DSS_WITH_AES_128_SHA

                [0038] TLS_DHE_DSS_WITH_AES_256_SHA

                [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

                [0004] SSL_RSA_WITH_RC4_128_MD5

Configuration: IE8+Win7, Enable only SSL2
Major Version: 2

Minor Version: 0

Ciphers:

                [10080] SSL2_RC4_128_WITH_MD5

                [700C0] SSL2_DES_192_EDE3_WITH_MD5

Configuration: IE8+Win7, Enable SSL3+SSL2

Major Version: 3

Minor Version: 0

Ciphers:

                [0005] SSL_RSA_WITH_RC4_128_SHA

                [000A] SSL_RSA_WITH_3DES_EDE_SHA

                [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

                [0004] SSL_RSA_WITH_RC4_128_MD5

                [10080] SSL2_RC4_128_WITH_MD5

                [700C0] SSL2_DES_192_EDE3_WITH_MD5

For contrast, IE8 on XPSP3 offers a smaller set of ciphers and does not support TLSv1.1 and TLSv1.2
Configuration: IE8+XP, Enable TLS1.0 & SSL3

Major Version: 3

Minor Version: 1

               [0004] SSL_RSA_WITH_RC4_128_MD5

                [0005] SSL_RSA_WITH_RC4_128_SHA

                [000A] SSL_RSA_WITH_3DES_EDE_SHA

                [0009] SSL_RSA_WITH_DES_SHA

                [0064] TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

                [0062] TLS_RSA_EXPORT1024_WITH_DES_SHA

                [0003] SSL_RSA_EXPORT_WITH_RC4_40_MD5

                [0006] SSL_RSA_EXPORT_WITH_RC2_40_MD5

                [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

                [0012] SSL_DHE_DSS_WITH_DES_SHA

                [0063] TLS_DHE_DSS_EXPORT1024_WITH_DES_SHA

-Eric

Comments