Update to add support for TLS 1.1 and TLS 1.2 in Windows Embedded Compact 7

This article describes an update to add support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Embedded Compact 7.

Before you install this update, all previously issued updates for this product must be installed.

Enable TLS 1.1 and TLS 1.2

By default, TLS 1.1 and TLS 1.2 are enabled when the Windows Embedded Compact 7-based device is configured as a client by using browser settings. The protocols are disabled when the Windows Embedded Compact 7-based device is configured as a web server.

You can use the following registry keys to enable or disable TLS 1.1 and TLS 1.2.

TLS 1.1

The following subkey controls the use of TLS 1.1:

HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\TLS 1.1

To disable the TLS 1.1 protocol, you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1. By default, this entry does not exist in the registry.

Note To enable and negotiate TLS 1.1, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.

TLS 1.2

The following subkey controls the use of TLS 1.2:

HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

To disable the TLS 1.2 protocol, you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1. By default, this entry does not exist in the registry.

Note To enable and negotiate TLS 1.2, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.

Additional notes

• The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure that contains the data for an Schannel credential.
• Per the Request for Comments (RFC), the design implementation does not allow SSL2 and TLS 1.2 to be enabled at the same time.

Please read the following sections for additional details about TLS 1.1 and 1.2.

Cipher Suites supported by TLS 1.2 only

The following newly added cipher suites are supported by TLS 1.2 only:

• TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_NULL_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

SCHANNEL_CRED

grbitEnabledProtocols

(Optional) This DWORD contains a bit string that represents protocols that have the following condition:

• Supported by connections that are made by having credentials that are acquired by using this structure

The following table shows the additional possible flags that the member can contain.

Value	Description
SP_PROT_TLS1_2_CLIENT	Transport Layer Security 1.2 client-side.
SP_PROT_TLS1_2_SERVER	Transport Layer Security 1.2 server-side
SP_PROT_TLS1_1_CLIENT	Transport Layer Security 1.1 client-side.
SP_PROT_TLS1_1_SERVER	Transport Layer Security 1.1 server-side

SecBuffer

BufferType

This set of bit flags indicates the type of buffer. The following table shows the additional available flags for TLS 1.2.

Flag	Description
SECBUFFER_ALERT	The buffer contains an alert message.

SecPkgContext_ConnectionInfo

dwProtocol

This designates the protocol that is used to establish this connection. The following table shows additional valid constants for this member.

Value	Description
SP_PROT_TLS1_2_CLIENT	Transport Layer Security 1.2 client-side.
SP_PROT_TLS1_2_SERVER	Transport Layer Security 1.2 server-side
SP_PROT_TLS1_1_CLIENT	Transport Layer Security 1.1 client-side.
SP_PROT_TLS1_1_SERVER	Transport Layer Security 1.1 server-side

aiCipher

This is the algorithm identifier (ALG_ID) for the bulk encryption cipher that is used by this connection. The following table shows the additional valid constants for this member.

Value	Description
CALG_AES_256	AES 256-bit encryption algorithm
CALG_AES_128	AES 128-bit encryption algorithm
CALG_3DES	3DES block encryption algorithm

SecPkgContext_SupportedSignatures

structure

This specifies the signature algorithms that are supported by an Schannel connection.

Syntax (C++)

typedef struct _SecPkgContext_SupportedSignatures {

  WORD cSignatureAndHashAlgorithms;

  WORD *pSignatureAndHashAlgorithms;

} SecPkgContext_SupportedSignatures, *PSecPkgContext_SupportedSignatures;

Members

• cSignatureAndHashAlgorithms
  
  This is the number of elements in the pSignatureAndHashAlgorithms array.
• pSignatureAndHashAlgorithms
  
  This is an array of values that specify the supported algorithms.
  
  The upper byte can be one of the following values that specifies a signature algorithm.
   

  Value	Meaning
  0	Anonymous signature algorithm
  1	The RSA signature algorithm
  2	The DSA signature algorithm
  3	The ECDSA signature algorithm
  255	Reserved

  
  The lower byte can be one of the following values that specifies a hash algorithm.
   

  Value	Meaning
  0	None
  1	The MD5 hash algorithm
  2	The SHA1 hash algorithm
  3	The SHA-224 hash algorithm
  4	The SHA-256 hash algorithm
  5	The SHA-384 hash algorithm
  6	The SHA-512 hash algorithm
  255	Reserved

  
  
  Requirements
   

  Header

  Schannel.h

QueryContextAttributes

This function enables a transport application to query a security package for certain attributes of a security context.

ulAttribute

This is a pointer to a buffer that contains attributes of the context that is to be retrieved. The following table shows the possible values.

Value	Description
SECPKG_ATTR_SUPPORTED_SIGNATURES	This value returns information about the signature types that are supported for the connection. The pBuffer parameter contains a pointer to a SecPkgContext_SupportedSignatures structure.

UI Sample Browser Registry Settings

The following table shows the settings that register the Internet and operating settings in the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Name	Type	Description	Default value
SecureProtocols	REG_BINARY	00,02,00,00 (enables TLS 1.1 only) 00,08,00,00 (enables TLS 1.2 only) You can also set this key as REG_DWORD "0AA8" to enable all protocols.	A0,0A,00,00(enables all protocols, except SSL2)

 

Download information

The Windows Embedded Compact 7 Monthly Update (March 2018) is now available from Microsoft. To download the update, go to the Device Partner Center (DPC).

Prerequisites

This update is supported only if all previously issued updates for this product have also been installed.

Restart requirement

After you apply this update, you must perform a clean build of the whole platform. To do this, use one of the following methods:

• On the Build menu, select Clean Solution, and then select Build Solution.
• On the Build menu, select Rebuild Solution.

You do not have to restart the computer after you apply this software update.

Update replacement information

This update does not replace any other updates.

Learn about the terminology that Microsoft uses to describe software updates.