Enabling TLS 1.1/1.2 support in Vista's Internet Explorer 9

[Vistapocalypse]

42 minutes ago, Dylan Cruz said:

 

4019276 throws "Update not applicable" error - ideas?

If you have already installed a number of Server 2008 updates, then you probably have KB4056564, which superseded KB4019276 as first noted in a June 22, 2018 post above. Otherwise, you might have downloaded a patch with incorrect bitness or for Itanium-based systems.

[InterLinked]

7 hours ago, Vistapocalypse said:

If you have already installed a number of Server 2008 updates, then you probably have KB4056564, which superseded KB4019276 as first noted in a June 22, 2018 post above. Otherwise, you might have downloaded a patch with incorrect bitness or for Itanium-based systems.

I do indeed have 4056564. That doesn't explain though how come my version number is lower than yours...

I applied the TLS reg entry and nothing has changed, either, except now all the SSL 2,3 and TLS 1 entries are grayed out!

[InterLinked]

@VistaLover @Vistapocalypse @win32

OK, so something bizarre is definitely going on,

Not sure if it had to do with the reg patches I applied.

In Local Group Policy, I do have the option to "Use TLS 1, 1.1, 1.2 only". I toggled that on and off and it seemed to have no effect.

However, I navigated to a site I know is TLS 1.2+ only and it worked!

Confused, I ran a client SSL test - these were the results:

 

This matches with Internet options - SSL 2, 3, and TLS 1 are disabled/greyed out AND I don't have any of them checked!

How is HTTPS even working? It seems there is a huge mismatch between the settings and what's really going on... ????

I played with the group policy settings and they do seem to do SOMETHING... when I changed it to "Use TLS 1.1 only", the aforementioned site stopped working. When I changed it back to 1, 1.1, and 1.2 only, it started working again.

So I guess TLS 1.2 DOES work, but it's not apparent because the options don't show up in Internet Options. And SSL tests say the protocols are disabled even though it literally says TLS 1.2 for the handshake protocol!!! Any way to fix this? I've run the registry changes multiple times.

Edited August 8, 2020 by Dylan Cruz

[Vistapocalypse]

3 hours ago, Dylan Cruz said:

That doesn't explain though how come my version number is lower than yours...

Your IE9 version number depends on which cumulative security update for IE9 is installed. The last cumulative security update with a dual signature was KB4507434. (VistaLover wasn’t using that one in July 2017 because it wasn’t released until July 2019.) For those who have installed SHA-2 support, the highest possible version of IE9 remains a cutting-edge question.

Your latest and longest post seems to be  about the reg files that were created by greenhillmaniac, who has never posted in this thread. It is possible to scrutinize the changes in a reg file without running it. I have looked at the reg files (in fact once offered some input regarding the x64 version), and recall some arguably superfluous changes that I interpreted as being for the sake of security (e.g. having SSL enabled has been unwise for years).

If anyone running Vista x64 would like to manually edit their registry pursuant to TLS 1.1 and 1.2, see this post.

 

[InterLinked]

9 minutes ago, Vistapocalypse said:

Your IE9 version number depends on which cumulative security update for IE9 is installed. The last cumulative security update with a dual signature was KB4507434. (VistaLover wasn’t using that one in July 2017 because it wasn’t released until July 2019.) For those who have installed SHA-2 support, the highest possible version of IE9 remains a cutting-edge question.

Your latest and longest post seems to be  about the reg files that were created by greenhillmaniac, who has never posted in this thread. It is possible to scrutinize the changes in a reg file without running it. I have looked at the reg files (in fact once offered some input regarding the x64 version), and recall some arguably superfluous changes that I interpreted as being for the sake of security (e.g. having SSL enabled has been unwise for years).

If anyone running Vista x64 would like to manually edit their registry pursuant to TLS 1.1 and 1.2, see this post.

 

That did the trick! I hadn't seen the comments regarding 64-bit vs. 32-bit, thank you it worked!

I had examined the reg files closely myself and run various versions of it, but they were all targeting 32-bit in retrospect.

I use Group Policy to disable insecure SSL anyways so the additional changes seem not to be necessary, just this did the trick:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1] "OSVersion"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2] "OSVersion"=-

[Vistapocalypse]

21 minutes ago, Dylan Cruz said:

That did the trick! I hadn't seen the comments regarding 64-bit vs. 32-bit, thank you it worked!

I had examined the reg files closely myself and run various versions of it, but they were all targeting 32-bit in retrospect.

I use Group Policy to disable insecure SSL anyways so the additional changes seem not to be necessary, just this did the trick:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1] "OSVersion"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2] "OSVersion"=-

Hmm, @greenhillmaniac might need to take another look at his reg file then, at least the x64 version. (VistaLover and I use Vista x86 anyway.) Glad you have it working now! 

[InterLinked]

2 hours ago, Vistapocalypse said:

Hmm, @greenhillmaniac might need to take another look at his reg file then, at least the x64 version. (VistaLover and I use Vista x86 anyway.) Glad you have it working now! 

Yeah, I ran the one he had in there and it didn't seem to do the trick, but this one did.

I wasn't a fan of 64-bit in the past, but the RAM limitation of 32-bit is kind of significant starting with Vista. I use 64-bit of Vista+ and 32-bit XP, W2K, and MS Office, since 64-bit Office is a joke.

[VistaLover]

On 8/8/2020 at 2:26 PM, Dylan Cruz said:

And SSL tests say the protocols are disabled even though it literally says TLS 1.2 for the handshake protocol!!!

The Protocol Support section of the SSL Client Test available in browserleaks.com also fails for me here in IE9 32-bit:

... while, at the same time, the Handshake section is displayed correctly:

Perhaps they're using some CSS/JS code in the first failing section that the deprecated IE9 rendering engine can't cope with... (?)

For IE9 specifically, you may want to use the SSL Labs Client Test,

https://www.ssllabs.com/ssltest/viewMyClient.html :

Edited August 9, 2020 by VistaLover

[InterLinked]

2 minutes ago, VistaLover said:

The Protocol Support section of the SSL Client Test available in browserleaks.com also fails for me here in IE9 32-bit:

... while, at the same time, the Handshake section is displayed correctly:

Perhaps they're using some CSS/JS code in the first failing section that the deprecated IE9 rendering engine can't cope with... (?)

For IE9 specifically, you may want to use the SSL Labs Client Test,

https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html :

Seems to check out for me as well! Hooray for Vista!

 

[VistaLover]

For the more observant among you, you might've noticed that @Dylan Cruz 's last screengrab contains one additional IE9 cipher suite [TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)] that is absent on my IE9 SSL Labs Client Test!

In fact, on a TLS 1.0+1.1+1.2 enabled Vista SP2 machine, IE9 supports the below twelve variations of cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy(2) 128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)   Forward Secrecy(2) 256

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)   WEAK 112
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112

TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE 128

(2) Cannot be used for Forward Secrecy because they require DSA keys, which are effectively limited to 1024 bits.

At some point, I had removed support for half of them, deemed to be extremely WEAK/insecure:

Removed:

*TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128 (TLS1.1)
*TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256 (TLS1.1)

*TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112 (TLS1.2)
*TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)   WEAK 112

*TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE 128
*TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE 128

which currently leaves me with

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy(2) 128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)   Forward Secrecy(2) 256

NB: The last two do not support FS, so I might remove them, too...

PS: On my 32-bit system I used Disable_RSA_Ciphers_RC4-128-128_3DES-168.reg :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:00000000

A computer restart is needed before these changes take effect!

Reference:

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols

Edited August 9, 2020 by VistaLover

[InterLinked]

12 minutes ago, VistaLover said:

For the more observant among you, you might've noticed that @Dylan Cruz 's last screengrab contains one additional IE9 cipher suite [TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)] that is absent on my IE9 SSL Labs Client Test!

In fact, on a TLS 1.0+1.1+1.2 enabled Vista SP2 machine, IE9 supports the below twelve variations of cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy(2) 128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)   Forward Secrecy(2) 256

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)   WEAK 112
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112

TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE 128

(2) Cannot be used for Forward Secrecy because they require DSA keys, which are effectively limited to 1024 bits.

At some point, I had removed support for half of them, deemed to be extremely WEAK/insecure:

Removed:

*TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128 (TLS1.1)
*TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 256 (TLS1.1)

*TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 112 (TLS1.2)
*TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)   WEAK 112

*TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE 128
*TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE 128

which currently leaves me with

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   Forward Secrecy 128
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   Forward Secrecy 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Forward Secrecy 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Forward Secrecy 256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x32)   Forward Secrecy(2) 128
TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x38)   Forward Secrecy(2) 256

NB: The last two do not support FS, so I might remove them, too...

PS: On my 32-bit system I used Disable_RSA_Ciphers_RC4-128-128_3DES-168.reg :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:00000000

Reference:

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols

Does this matter though if SSL2/3 are disabled?

What would be the 64-bit reg script? Thanks!

[VistaLover]

10 minutes ago, Dylan Cruz said:

Does this matter though if SSL2/3 are disabled?

Please re-read my actual post! It pertains to insecure/weak cipher suites when ONLY TLS 1.0+1.1+1.2 are enabled!

10 minutes ago, Dylan Cruz said:

What would be the 64-bit reg script?

I'm sure you've been notified already of the fact I ONLY use the 32-bit variant of the OS, so no clue really... Try using the one I provided and go your way from there; I have faith in you! (FTR, a link to a M$ support article IS provided...)

Edited August 9, 2020 by VistaLover

[win32]

1 hour ago, Dylan Cruz said:

What would be the 64-bit reg script? Thanks!

it would be the same on an x64 system. The only thing that really changes on x64 is that x86 components come under a "Wow6432Node" key.

Edited August 9, 2020 by win32

[luxxxoor]

hi guys, i am using vista ultimate x64 with no extended kernel, i did the steps however i dont get the TLS1.1 and TLS1.2 in IE9 advanced internet options

 

the IE version: 9.0.8112.16421, update versions: 9.0.125(KB4480965)

i did all the regestry edits and still they dont appear in the IE advanced list

[Vistapocalypse]

3 hours ago, luxxxoor said:

hi guys, i am using vista ultimate x64 with no extended kernel, i did the steps however i dont get the TLS1.1 and TLS1.2 in IE9 advanced internet options

Hello again. The instructions in the first post should work for Vista x86, but since you are running Vista x64, you need to make 2 more registry changes as mentioned here:

https://msfn.org/board/topic/177994-tls-1112-and-vista-issue-no-options/?do=findComment&comment=1157010