Introducing TLS v1.2

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes the security enhancements to Transport Layer Security (TLS) in Windows 7 and Windows Server 2008 R2.

TLS and Schannel

Microsoft implements the Secure Sockets Layer (SSL) protocol and the TLS protocol by using the Schannel authentication package (schannel.dll). For Windows 7 and Windows Server 2008 R2, TLS has been improved to version 1.2 in order to support:

  • Hash negotiation. The client and server can negotiate any hash algorithm to be used as a built-in feature, and the default cipher pair MD5/SHA-1 has been replaced with SHA-256.

  • Certificate hash or signature control. You can configure the certificate requester to accept only specified hash or signature algorithm pairs in the certification path.

  • Suite B–compliant cipher suites. Two cipher suites have been added so that the use of TLS can be Suite B compliant:

    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

How to control the use of TLS

To control the use of TLS, you need to set the cipher suite requirement for your computer that will force adherence to TLS 1.2. Use the following steps:

  1. Using Group Policy, enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing security policy setting.

  2. Open Internet Explorer. On the Tools menu, click Internet Options. Click the Advanced tab, and then select the Use TLS 1.2 check box.

Resources for TLS and Schannel

For information about application development that uses the new cipher suites available for TLS 1.2 implementation, see Secure Channel in the MSDN Library.

For information about the Schannel authentication package, see the TLS/SSL Technical Reference.