Transport Layer Security (TLS) registry settings

---

The article describes some registry setting information for the Windows® implementation of the Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol through the Schannel Security Support Provider (SSP).

Note: Applies to Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, and Windows 10.

The following sections address specific registry setting parameters:

CertificateMappingMethods

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Two methods exist for mapping client certificates:

• One-to-one mappings: These mappings match individual client certificates to individual user accounts on a one-to-one basis. Each client certificate maps to a user account.

• Many-to-one mappings: These mappings match multiple certificates to a user account based on subfields in the client certificates.

Configuring this entry on your server each time a client presents a client certificate automatically associates that user with the appropriate Windows User Account.

Ciphers and cipher suites

To configure these records, you need the TLS cipher suite order, group policy MDM, or PowerShell®, and this article does not cover the configuration.

ClientCacheTime

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

This entry controls the time that the operating system takes (in milliseconds) to expire client-side cache entries. If the value is 0, it turns off the secure connection.

EnableOcspStaplingForSni

Online Certificate Status Protocol (OCSP) is a protocol used for obtaining the revocation status of an X.509 digital certificate during the TLS handshake. By activating this entry, the webserver can reduce its workload.

Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Add the following key: "EnableOcspStaplingForSni"=dword:00000001

To disable, set the DWORD value to 0: "EnableOcspStaplingForSni"=dword:00000000

FIPSAlgorithmPolicy

Registry path: HKLM SYSTEM\CurrentControlSet\Control\LSA

The National Institute of Standards and Technology publicly announces Federal Information Processing (FIPS) standards developed for use in computer systems by non-military American government agencies and government contractors. Setting this entry controls FIPS compliance. The default is 0.

Hashes

Configuring the cipher suite order should control TLS/SSL hash algorithms.

IssuerCacheSize

When the issuers do not map to an account, the server might attempt to map the same issuer name repeatedly, hundreds of times per second. You use this entry, which controls the size of the issuer cache, with issuer mapping. This registry entry specifies the cache size, and the default value is 100.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

IssuerCacheTime

As IssuerCacheSize avoids multiply attempts to map the issuer to the server, you can limit the length of the cache timeout interval in milliseconds. The default value is 10 minutes.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

KeyExchangeAlgorithm: Client RSA key sizes

This entry controls the client RSA key size.

Registry path: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS

If you want to specify a minimum length for the RSA key, you should create a ClientMinKeyBitLength entry and assign the desired length. If you don’t create this entry, the default value is 1024 bits. However, if you specify a maximum length, create the ClientMaxKeyBitLength entry and change the desired value.

Note: Configuring the cipher suite order should control using key exchange algorithms.

KeyExchangeAlgorithm: Diffie-Hellman key sizes

This entry controls the Diffie-Hellman key sizes.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman

Note that the extra entries to specify a value of the Diffie-Helman key are the same as the RSA key. If you want to specify a minimum supported range of Diffie-Helman key, you should create a ClientMinKeyBitLength entry and assign the desire bit length that you want. If you don’t create this entry, the default value is 1024 bits. If you specify a maximum support range, create the ClientMaxKeyBitLength entry and change the desired value. Finally, use the ServerMinKeyBitLength entry to specify the length for the TLS server default. If not, the default value is 2048.

Note: Configuring the cipher suite order should control using key exchange algorithms.

MaximumCacheSize

The cache elements can have different sizes. When you activate this entry, you set a maximum size cache. Setting the value to 0 disables the server-side session and avoids reconnection. Probably, by activating this entry, you get additional memory consumption on your server. The default value is 20,000 elements.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Messaging: fragment parsing

Each time a client tries to connect to a server with TLS and the connection is successful, the system stores a handshake message on the server. You can set a size limit for the storage of those messages. When you set the value to 0x0, you can’t store handshake messages, which causes the TLS to fail. You can increase the maximum allowed size to 2^24-1 bytes.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Messaging

SendTrustedIssuerList

Use this entry only if you do not want to send any list of the trusted issuers to the client.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

ServerCacheTime

Use this entry to set the time (in milliseconds) that the operating system takes to expire server-side cache entries.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

A value of 0 disables the server-side session cache and prevents reconnection. Increasing ServerCacheTime above the default values causes Lsass.exe to consume memory. Each session cache element typically requires 2 to 4 KB of memory. Default server cache time is 10 hours.

If you disable the entry by default by using the DisabledByDefault entry and an SSPI app explicitly requests to use SSL, TLS, or DTLS, it might be negotiated.

SSL 2.0

This subkey controls the use of SSL 2.0.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To enable the SSL 2.0 protocol, create an Enabled entry (in the Client or Server subkey) and change the value to 1. To disable it, change the value to 0. To disable SSL 2.0 by default, create a DisabledByDefault entry and change the value to 1.

SSL 3.0

This subkey controls the use of SSL 3.0.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To enable the SSL 3.0 protocol, create an Enabled entry (in the Client or Server subkey) and change the value to 1. To disable it, change the value to 0. To disable SSL 3.0 by default, create a DisabledByDefault entry and change the value to 1.

TLS 1.0

This subkey controls the use of TLS 1.0.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To enable the TLS 1.0 protocol, create an Enabled entry (in the Client or Server subkey) and change the value to 1. To disable it, change the DWORD value to 0. To disable TLS 1.0 by default, create a DisabledByDefault entry and change the value to 1.

TLS 1.1

This subkey controls the use of TLS 1.1.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To enable the TLS 1.1 protocol, create an Enabled entry (in the Client or Server subkey) and change the value to 1. To disable it, change the value to 0. To disable TLS 1.1 by default, create a DisabledByDefault entry and change the value to 1.

TLS 1.2

This subkey controls the use of TLS 1.2.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To enable the TLS 1.2 protocol, create an Enabled entry (in the Client or Server subkey) and change the value to 1. To disable it, change the value to 0. To disable TLS 1.2 by default, create a DisabledByDefault entry and change the value to 1.

DTLS 1.0

This subkey controls the use of DTLS 1.0.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To enable the DTLS 1.0 protocol, create an Enabled entry (in the Client or Server subkey) and change the value to 1. To disable it, change the value to 0. To disable DTLS 1.0 by default, create a DisabledByDefault entry and change the value to 1.

DTLS 1.2

This subkey controls the use of DTLS 1.2.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To enable the DTLS 1.2 protocol, create an Enabled entry (in the Client or Server subkey) and change the value to 1. To disable it, change the value to 0. To disable DTLS 1.2 by default, create a DisabledByDefault entry and change the value to 1.