Error in Internet Explorer. Make sure the SSL and TLS protocols are included. TSL Problems - Unable to connect to this page where to enable TLS

In October, Google engineers have published information on critical vulnerability in SSL version 3.0received a funny name Poodle Padding Oracle ON DOWNGRADED LEGACY ENCRYPTION or POOD 🙂). Vulnerability allows an attacker to access information encrypted by the SSLV3 protocol using the MAN In The Middle attack. Vulnerabilities are subject to both servers and clients that can be connected via SSLV3 protocol.

In general, the situation is not amazing, because Protocol SSL 3.0, first presented in 1996, was already 18 years old and he was already outdated morally. In most practical tasks, it has already been replaced by the cryptographic protocol TLS.(versions 1.0, 1.1 and 1.2).

To protect against POODLE vulnerabilities, it is recommended completely disable SSLV3 support both on the client side and on the server side And further use only TLS. For users of obsolete software (for example, using IIS 6 on Windows XP), this means that they will no longer be able to view HTTPS pages and use other SSL services. In the event that support for SSLV3 is not completely disconnected, and by default, stronger encryption is used, POODLE vulnerability will still take place. This is due to the peculiarities of choosing and matching the encryption protocol between the client and the server, because When malfunctions are detected in using TLS, an automatic transition to SSL occurs.

We recommend checking all your services that can use SSL / TLS in any form and disable SSLV3 support. You can check your web server for vulnerability using an online test, for example, here: http://poodlebled.com/.

Note. It is necessary to clearly understand that the disconnection of SSL V3 at the level of the entire system will only work for software that uses system APIs for SSL encryption ( Internet Explorer., IIS, SQL NLA, RRAS, etc.). Programs that use their own crypto tools (Firefox, Opera, etc.) need to be updated and configured individually.

Turn off SSLV3 in Windows at the system level

In OS. Windows management SSL / TLS support is supported through the registry.

In this example, we will show how completely at the system level (both at the client level and server) disable SSLV3 in Windows Server 2012 R2:

Turn off SSLV2 (Windows 2008 / Server and below)

In the OS preceding Windows 7 / Windows Server 2008 R2, the default is even less secure and outdated protocol SSL V2.which should also be disabled for security reasons (in more fresh versions Windows, SSLV2 at the client level is disabled by default and only SSLV3 and TLS1.0 are used). To disable SSLV2, you need to repeat the procedure described above, only for the registry key SSL 2.0.

In Windows 2008/2012 SSLV2, the default client is disconnected.

Turn on TLS 1.1 and TLS 1.2 in Windows Server 2008 R2 and above

Windows Server 2008 R2 / Windows 7 and above support TLS 1.1 and TLS 1.2 encryption algorithms, but by default, these protocols are disabled. Enable support for TLS 1.1 and TLS 1.2 in these windows versions can be a similar scenario

Utility for managing system cryptographic protocols in Windows Server

Exists free utility IIS Crypto, which allows you to conveniently manage the parameters of cryptographic protocols in Windows Server 2003, 2008 and 2012. With this utility, you can enable or disable any of the encryption protocols in only two clicks.

The program already has several templates that allow you to quickly apply presets for various options for security settings.

If you encountered a problem at which an error of access to a specific site occurs, a message appears in the browser, there is a reasonable explanation. Causes and ways to eliminate the problem result in this article.

SSL TLS protocol

Users of budget organizations, and not only budget, whose activities are directly related to finance, in cooperation with financial organizations, such as the Ministry of Finance, Treasury, etc., all their operations are carried out exclusively on the SSL protected protocol. Basically, in their work they use internet Browser Explorer. In some cases - Mozilla Firefox..

Error SSL.

The focus, when conducting these operations, and work as a whole, is given to the protection system: certificates, electronic signatures. For work is used software Cryptopro topical version. Concerning problems with SSL and TLS protocols, if a error SSL. Appeared, most likely there is no support for this protocol.

TLS error

TLS error In many cases, it may also indicate the lack of support for the protocol. But ... let's see what can be done in this case.

SSL and TLS Protocol Support

So, when using Microsoft Internet Explorer, to visit the SSL protected website, the title bar displays Make sure the SSL and TLS protocols are included. First of all, you need to enable support tLS protocol 1.0 in Internet Explorer.

If you visit the website on which Internet Information Services 4.0 or above, configuring Internet Explorer to support TLS 1.0 helps protect your connection. Of course, provided that the remote web server you are trying to use supports this protocol.

To do this in the menu Service Select Team Properties of the Observer.

On the tab Additionally In chapter SafetyMake sure the following flags are selected:

Use SSL 2.0.
Use SSL 3.0.
Use SSL 1.0.

Press the button Apply , and then OK . Restart browser .

After turning on TLS 1.0, try to visit the website again.

System security policy

If still occur errors with SSL and TLSIf you still can't use SSL, a remote web server probably does not support TLS 1.0. In this case, you need to disable the system policy that requires FIPS-compatible algorithms.

To do this, in Control panels Choose Administrationand then double click the icon Local security policy.

IN local parameters Security, expand the node Local politiciansand then click Security parameters.

In accordance with the policy in the right part of the window, double-click System Cryptography: Use FIPS-compatible algorithms for encryption, hashing and signingand then click Disabled.

Attention!

Change enters into force after the reuse of local security policies. Turn it on, restart the browser.

Cryptopro TLS SSL.

Refresh Cryptopro

One of the solutions to the problem is to update cryptopro, as well as a resource setup. In this case, this is working with electronic payments. Navigate to the Certification Center. As a resource, select electronic trading platforms.

After launch automatic setting workplace, will remain only wait for completion of the procedure, then reload browser. If you need to enter or select the resource address - choose the desired one. Also, at the end of the setting, it may be necessary to restart the computer.

TLS is a SSL follower, a protocol that gives a reliable and secure connection between nodes on the Internet. It is used in the development of various customers, including browsers and client-server applications. What is TLS in Internet Explorer?

A little about technology

All enterprises and organizations that are engaged in financial transactions use this protocol To eliminate the shell of packages and implement unauthorized access by attackers. This technology has been created to protect important compounds from attackers attacks.

Basically, its organization uses a built-in browser. In some cases, Mozilla Firefox.

Enabling and disable protocol

Some sites are sometimes impossible to go out due to the fact that SSL and TLS technology support is disabled. In the browser pops up the appropriate notification. So, how to enable protocols to continue to enjoy a safe connection?
1. Cover the control panel through the start. Another way: to open the explorer and click on the gear icon in the upper right corner.

2. Go to the "Browser Properties" section and open the "Advanced" block.

3. Contain the checkboxes next to "Use TLS 1.1 and TLS 1.2".

4.Click OK to save the changes made. If you want to disable protocols, which is extremely recommended to do, especially if you use Internet banking, remove the marks from the same items.

What is the difference between 1.0 from 1.1 and 1.2? 1.1 is just a slightly improved version of TLS 1.0, which partially inherited its flaws. 1.2 is the most secure version of the protocol. On the other hand, not all sites can open with this included protocol version.

As you know, Messenger Skype is directly connected to Internet Explorer as windows component. If you are not marked by the TLS protocol in the settings, problems may arise with Skype. The program simply will not be able to connect to the server.

If the Internet Explorer settings disappear supports TLS, all the functions of the network-related program will not work. Moreover, the preservation of your data depends on this technology. Do not neglect her if you fulfill financial operations in this browser (purchases in online stores, transfer money through Internet banking or electronic wallet, etc.).

TLS protocol encrypts all kinds of Internet traffic, thereby making safe communication and sale on the Internet. We will tell about how the protocol works and what awaits us in the future.

From the article you will learn:

What is ssl

The SSL or layer of protected sockets was the original protocol name, which was developed by Netscape in the mid-90s. SSL 1.0 has never been publicly affordable, and in version 2.0 there were serious shortcomings. The SSL 3.0 protocol, released in 1996, was completely redone and asked the tone of the next stage of development.

What is TLS.

When the next version of the protocol was released in 1999, its standardized special working group Designing the Internet and gave it a new name: protection of transport level, or TLS. As stated in TLS documentation, "the difference between this protocol and SSL 3.0 is not critical." TLS and SSL form a constantly updated series of protocols, and they are often combined called SSL / TLS.

The TLS protocol encrypts the Internet traffic of any kind. The most common type is web traffic. You know when your browser establishes a TLS connection - if the link in the address bar starts with "HTTPS".

TLS is also used by other applications - for example, in the mail and teleconference systems.

How TLS works

Encryption is necessary to safely communicate on the Internet. If your data is not encrypted, anyone can analyze them and read confidential information.

The safest method of encryption is asymmetric encryption. This requires 2 keys, 1 public and 1 private. These are files with information, most often very big numbers. The mechanism is complex, but if you simply use the public key to encrypt the data, but you need a private key to decipher them. Two keys are associated with a complex mathematical formula, which is difficult to hack.

You can submit a public key as information about the location of the closed mailbox With a hole, and the private key as the key that opens the box. Anyone who knows where the box is, can put a letter there. But to read it, a person needs a key to open the box.

As complex cripples are used in asymmetric encryption mathematical calculations, you need a lot of computational resources. TLS solves this problem using asymmetric encryption only at the beginning of the session to encrypt communication between the server and the client. The server and the client must agree on a single key of the session, which they will be used to use to encrypt data packets.

The process according to which the client and the server agree on the key of the session is called handshamistry. This is the moment when 2 communicating computers are presented to a friend.

TLS-Handshake

The process of TLS-handshake is quite complicated. Steps below reflect the process in general so that you understand how it works in general.

The client is associated with the server and requests a safe connection. The server responds with a list of ciphers - an algorithmic set to create encrypted connections - which he knows how to use. The client compares the list with his list of supported ciphers, chooses the right one and gives the server to know which they will use together.
The server provides its digital certificate - Electronic document signed by a third party, which confirms the authenticity of the server. SAMI important information The certificate is a public key to the cipher. The client confirms the authenticity of the certificate.
Using the server's public key, the client and the server set the session key that they both will be used throughout the entire session to encrypt communication. There are several methods for this. The client can use a public key to encrypt an arbitrary number, which is then sent to the server to decrypt, and both parties then use this number to set the session key.

The session key is valid only during one continuous session. If for some reason communication between the client and the server will interrupt, you will need a new handshake to establish new key sessions.

TLS 1.2 and TLS 1.2 Protocol Vulnerabilities

TLS 1.2 is the most common version of the protocol. This version has installed an initial platform of session encryption options. However, like some previous versions of the protocol, this protocol allowed to use older encryption techniques to support old computers. Unfortunately, this led to vulnerabilities of version 1.2, since these older encryption mechanisms have become more vulnerable.

For example, the TLS 1.2 protocol has become particularly vulnerable to attacks such as active interference with the connection in which the hacker intercepts the data packets in the middle of the session and sends them after reading or changed them. Many of these problems manifested themselves over the past 2 years, therefore it became necessary to urgently create an updated version of the protocol.

TLS 1.3.

Version 1.3 of the TLS protocol, which will soon be finalized, solves many problems with vulnerabilities because it refuses to support outdated encryption systems.
IN new version There is compatibility S. previous versions: for example, the connection rolls back to the TLS version 1.2, if one of the parties can not use more new system Encryption in the list of allowed protocol algorithms version 1.3. However, when attacking the type of active intervention in the connection, if the hacker will forcefully try to roll back the version of the protocol to 1.2 in the middle of the session, this action will be noticed, and the connection will be interrupted.

How to enable support for TLS 1.3 in Google Chrome and Firefox browsers

Firefox and Chrome support TLS 1.3, but this version is not enabled by default. The reason is that it exists so far only in the draft version.

Mozilla Firefox.

Enter about: config in the browser address bar. Confirm that you are aware of the risks.

Firefox settings editor opens.
Enter search in Security.tls.Version.max
Change the value to 4 by making double-click Mouse for the current meaning.

Google Chrome.

Enter Chrome: // Flags / in the browser address bar to open the experiment panel.
Find the option # TLS13-VARIANT
Click on the menu and put Enabled (Draft).
Restart the browser.

How to verify that your browser uses version 1.2

We remind you that version 1.3 is not yet used publicly. If you do not want
Use the draft variant, you can stay on version 1.2.

To verify that your browser uses version 1.2, do the same steps as in the instructions above, and make sure:

For Firefox, the value Security.tls.Version.max is 3. If it is below, change it to 3 by making a double click on the current value.
For Google Chrome.: Click on the browser menu - select Settings - Choose Show Advanced Settings. - go down to the section System. And click on Open Proxy Settings ...:

In the window that opens, click on the Security tab and check that the USE TLS 1.2 facility stood a check mark. If you should not - put and click OK:

Changes will enter into force after you restart the computer.

Quick tool for checking the version of the SSL / TLS browser protocol

Go to the online version of the SSL Labs protocol version. The page will show in real time the version used by the version of the protocol, and whether the browser is subject to some vulnerabilities.

Sources: Translation