Windows 7 - SSTP over TLS 1.1/TLS 1.2

Hi all,

is it possible that a VPN/SSTP connection in Windows 7 is not TLS 1.1 or TLS 1.2 capable?
I deactvated the TLS 1.0 Protocol on my NPS Server (Windows Server 2012 R2 Standard), then I tried a VPN/SSTP connection to this server. During this I took a look at WireShark (on the client) and it stated that the client (Windows 7) wants to use the TLS 1.0 Protocol.
Afterwards I tried to force the TLS 1.1 and TLS 1.2 Protocol through the registry settings (SecurityProviders/SCHANNEL/Protocols)
on the Client Operating System, furthermore I deactivated the TLS 1.0 Protocol.

But it is not possible to established a VPN/SSTP connection with my Server. I have tested this whole scenario with Windows 8 Client and all things are running fine.


Best regards

Frank



i asked the same question in windows support forum and i get an answer it is not possible to use TLS 1.1 / TLS 1.2 over SSTP in Windows 7.
Source: Windows 7 - SSTP over TLS 1.1/TLS 1.2



In this issue, I generally:
1. Ensure the server side has the right protocols enabled and disabled
2. Ensure the client side matches.

So for both, follow my steps on my blog which detail how to secure SSL on Windows systems.

https://rootisthelimit.com/securing-ssl-configuration-in-iis/



Hi Dorsey,

i have already done that (checked this more as twice). I also checked this settings with IISCrypto all looks fine.
I look over your blog and you activate in your script TLS 1.0 but i want deactivate it.

Anyway how i mention before the connection with Windows 8 works fine with the server settings.



Did you re-arrange the cipher suites?

I have a client using Windows 7 clients to connect to server VPN with TLS1.0 disabled. I don't know the details of their configuration though as I did not set it up.



Yes, i re-arranged the cipher suites but there should be a windows 7 compatible cipher suite.

My Cipher Suite Order:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256



@Schuyler Dorsey: Did you deactivate TLS 1.0 on the client or on the server? Did you activate FIBS on the client, too?

I don't think the server is the main problem but i will post my SCHANNEL configuration from the server for future support.

Share this

Related Posts

There was an error in this gadget