<div dir="ltr">TlsVersion, not TlsVersions!<br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 20, 2014 at 4:28 PM, Nick Lowe <span dir="ltr"><<a href="mailto:nick.lowe@gmail.com" target="_blank">nick.lowe@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>For anybody interested, the configuration of the TlsVersions DWORD in the registry is more granular than the KB article lets on as you actually get control of both the client and server version behaviour, it is not lumped together.<br><br>The values map to the SP_PROT flags defined in schannel.h, documented online as part of the SCHANNEL_CRED structure under grbitEnabledProtocols.<br><br><a href="http://msdn.microsoft.com/en-gb/library/windows/desktop/aa379810.aspx" target="_blank">http://msdn.microsoft.com/en-gb/library/windows/desktop/aa379810.aspx</a><br><br>SP_PROT_TLS1_SERVER<br>0x00000040<br><br>SP_PROT_TLS1_CLIENT<br>0x00000080<br><br>SP_PROT_TLS1_1_SERVER<br>0x00000100<br><br>SP_PROT_TLS1_1_CLIENT<br>0x00000200<br><br>SP_PROT_TLS1_2_SERVER<br>0x00000400<br><br>SP_PROT_TLS1_2_CLIENT<br>0x00000800<br><br></div><div>For standards compliant TLS implementations, you just need an intersection of protocol support between client and server.<br><br>I am definitely curious if anybody encounters a buggy SSL/TLS library in use in the wild that rejects a TLS 1.1 or 1.2 Client Hello...<span class="HOEnZb"><font color="#888888"><br></font></span></div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Nick<br></div></font></span></div>
</blockquote></div><br></div></div>