Enabling TLS 1.2 Client Side Support on EC2 Windows Server 2012 to 2022
I have received an AWS Health Notification indicating AWS API calls were made using TLS 1.0/1.1 on my Amazon Elastic Compute Cloud (EC2) Instance running Microsoft Windows. How do I enable TLS 1.2 on my Amazon EC2 Windows Instance?
Many applications are dependent on the .NET Framework registry settings in the OS to establish TLS client server communications when making an API call to AWS endpoints. There are a few exceptions when dealing with older Windows versions, but for versions newer than Windows Server 2012 R2 you can jump to the procedure section below.
These changes will set TLS 1.2 as the minimum TLS protocol level for .NET Framework and Internet Information Services (IIS) applications as per Microsoft’s TLS best practices. Please ensure you know the TLS versions your applications use prior to performing the changes. In addition, updating .NET Framework on the Operating System (OS) may impair applications that are dependent on a specific .NET Framework version. As always, perform a complete AMI backup / snapshot prior to performing OS level changes
Windows Server 2012:
Download and install KB3140245 to enable TLS 1.2 for WinHTTP, then proceed to the Procedure section below*.* If KB3140245 is already present in the list of Windows updates, then you can skip this step and proceed straight to the Procedure section below.
Windows Server 2012 R2 and newer versions onwards:
By default, these operating systems natively support TLS 1.2 client server communications over WinHTTP. However, for the .NET Framework, it is dependent on the .NET Framework version installed within the OS and the registry DWORD keys: SystemDefaultTlsVersions and SchUseStrongCrypto.
Windows Server 2016:
The exception is Windows Server 2016 where TLS 1.2 is enabled by default, however, it is disabled for Secure Channel (SCHANNEL) service. SCHANNEL is responsible for traffic to SQL server and Active Directory Federation Services (ADFS), however, on Windows Server 2016, traffic will use TLS 1.0 by default.
- Identifying .NET Framework versions installed on the OS: https://learn.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed
- Updating .NET Framework 4.x to the latest version. As per Microsoft, NET Framework 4.6.2 and later supports TLS 1.2, for earlier .NET Framework versions, please follow these steps
- Enabling .NET Framework 2.x/3.x/4.x TLS 1.2. The registry key, SchUseStrongCrypto, enables support for strong cryptography while the registry key, SystemDefaultTlsVersions, allows .NET to use the OS configuration for TLS traffic: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client#configure-for-strong-cryptography
- Enabling SCHANNEL TLS 1.2. This allows applications such as SQL server and ADFS which traverse traffic via the SCHANNEL service to use TLS 1.2**:** https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs#enable-and-disable-tls-12
- Installing the latest version of AWS PowerShell Tools and SDK: As per the AWS Developer Tools Blog, version 184.108.40.206 of the SDK has enforced newer TLS protocols into the list of client applicable protocols, provided that the underlying OS has been configured to support TLS 1.2 in the .NET Framework configuration, which is what we have done in the above section. The latest AWS PowerShell Tools and SDK MSI Installer file can be downloaded here.
- Verifying AWS API call was made using TLS 1.2 on CloudTrail: https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/