TLS 1.1 and 1.2 support on Windows Embedded Compact 2013

This article describes an update to add support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Embedded Compact 2013.

This update adds the required support for code signing Cryptographic binaries by using SHA256 hash values and updated Windows CE Cryptographic Service Provider signature thumbprint.

Enable TLS 1.1 and TLS 1.2

By default, TLS 1.1 and 1.2 are enabled when the Windows Embedded Compact 2013 device is configured as a client by using browser settings. The protocols are disabled when the Windows Embedded Compact 2013 device is configured as a web server.

In the following sections, we discuss the registry keys that you can use to enable or disable TLS 1.1 and TLS 1.2.

TLS 1.1

The following subkey controls the use of TLS 1.1:

HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\TLS 1.1

To disable the TLS 1.1 protocol, you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1. By default, this entry does not exist in the registry.

Note To enable and negotiate TLS 1.1, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.

TLS 1.2

The following subkey controls the use of TLS 1.2:

HKEY_LOCAL_MACHINE\Comm\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

To disable the TLS 1.2 protocol, you must create the Enabled DWORD entry in the appropriate subkey, and then change the DWORD value to 0. To re-enable the protocol, change the DWORD value to 1. By default, this entry does not exist in the registry.

Note To enable and negotiate TLS 1.2, you must create the DisabledByDefault DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.

Warning The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure that contains the data for an Schannel credential.

Note Per the Request for Comments (RFC), the design implementation does not allow SSL2 and TLS 1.2 to be enabled at the same time.

The following sections  provide additional details about TLS 1.1 and 1.2.

Cipher Suites supported by TLS 1.2 only

The following newly added cipher suites are supported by TLS 1.2 only:

• TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
• TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_NULL_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521

SCHANNEL_CRED

grbitEnabledProtocols

(Optional) This DWORD contains a bit string that represents specific protocols. The protocols are supported by connections that are made by using credentials that are acquired by using this structure.

The following table shows the additional possible flags this member can contain.

SecBuffer

BufferType

This set of bit flags indicates the type of buffer. The following table shows the additional available flags for TLS 1.2:

SecPkgContext_ConnectionInfo

dwProtocol

This designates the protocol that is used to establish this connection. The following table shows additional valid constants for this member:

Microsoft Windows CE Cryptographic Service Provider Signature thumbprint

The Microsoft Windows CE Cryptographic Service Provider Signature thumbprint is updated in Windows Embedded Compact 2013. The period of validity for the code signing certificate is changed as follows.

Old period of validity

02/15/2017 - 05/09/2018

New period of validity

09/06/2018 - 09/06/2019

Download information

The Windows Embedded Compact 2013 Monthly Update (October 2018) is now available from Microsoft. To download this update, go to Microsoft OEM Online or MyOEM.

Prerequisites

This update is supported only if all previously issued updates for this product have also been installed.

Restart requirement

After you apply this update, you must perform a clean build of the whole platform. To do this, use one of the following methods:

• On the Build menu, select Clean Solution, and then select Build Solution.
• On the Build menu, select Rebuild Solution.

You do not have to restart the computer after you apply this software update.

Update replacement information

This update does not replace any other updates.

Learn about the terminology that Microsoft uses to describe software updates.