Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Query for TLS versions

Patrick Garber

November 26, 2019 17:48

Hello,

I have a piece of software that requires TLS 1.2+ enabled on systems for communications. Is there an easy way to query the different versions of TLS enabled on a machine? Trying to build out collections based on this information to re-mediate.

Comments

3 comments

lnichols
November 26, 2019 19:24 (Edited November 26, 2019 19:51)

Patrick,

This document by Microsoft seems to list registry keys for TLS 1.2 that you can check for to determine whether it is enabled or disabled. There is a different registry entry for each client and server, so you will need to determine whether your software requires your computers to be a TLS 1.2 client or a TLS 1.2 server.

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

EDIT: After more testing it looks like that key usually doesn't exist unless you explicitly create it-- TLS 1.2 could be enabled even if the "Enabled" registry key does not exist. This method might not work for you.

1
Jean Davis
June 30, 2021 13:49

This is what I have to detect TLS 1.2 disabled. Windows 2012 R2 or better automatically has it enabled and has no entry int he registry. Older Windows requires an entry to enable it.

This is just for server side but you can go from here.

0
Colby Bouma
June 30, 2021 14:31

Another option is this PowerShell Scanner: https://github.com/pdq/PowerShell-Scanners/tree/master/PowerShell%20Scanners/Cipher%20Suite%20Detection

1