Enable TLS 1.1 and 1.2 on Windows Server 2008 SP2

Microsoft has released an update for Windows 2008 in 2017 which adds support for TLS 1.1 and 1.2 See @Chris Vesper's answer for the details.

Original:

Windows 2008 does not support TLS 1.1 and 1.2. You can mitigate beast by using a different cipher-suite (not involving RC4)

Have a look over at security.stackexchange.com: https://security.stackexchange.com/questions/14326/how-to-fix-ssl-2-0-and-beast-on-iis

We were able to get TLS 1.2 and 1.2 working on Server 2008 SP2.

We have a Win32 application being used on Server 2008 SP2 by numerous customers. The application needs to talk to credit card processing companies that only support TLS 1.2 as of April 2018.

Here is the procedure we followed:

1. Install KB4019276 from https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276

2. Create registry keys for TLS 1.1 and TLS 1.2. These keys are created under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols as documented here https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx

3. Enable TLS 1.1 and 1.2 in Internet Explorer 9 as documented here https://msfn.org/board/topic/176902-enabling-tls-1112-support-in-vistas-internet-explorer-9/

Detailed instructions from Step 2 above if the URL is dead.

1. Browse to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

2. Right click on the Protocols folder and select New and then Key from the drop-down menu. This will create new folder. Rename this folder to TLS 1.2.

3. Right click on the TLS 1.2 key and add two new keys underneath it.

4. Rename the two new keys as: Client Server

5. Right click on the Client key and select New and then DWORD (32-bit) Value from the drop-down list.

6. Rename the DWORD to DisabledByDefault.

7. Right-click the name DisabledByDefault and select Modify... from the drop-down menu.

8. Ensure that the Value data field is set to 0 and the Base is Hexadecimal. Click on OK.

9. Create another DWORD for the Client key as you did in Step 7.

10. Rename this second DWORD to Enabled.

11. Right-click the name Enabled and select Modify... from the drop-down menu.

12 Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.

13. Repeat steps 5 to 12 for the Server key (by creating two DWORDs, DisabledByDefault and Enabled, and their values underneath the Server key).

14. Reboot the server.

Detailed instructions from Step 3 above if the URL is dead.

1. After installing KB4019276, launch regedit, preferably as Administrator, and navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\AdvancedOptions\CRYPTO\TLS1.1

2. Delete the "OSVersion"="3.6.1.0.0" subkey)

3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\AdvancedOptions\CRYPTO\TLS1.2

4. Again, delete the "OSVersion"="3.6.1.0.0" subkey. Exit Registry Editor.

5. Launch IE9; Tools -> Internet Options -> Advanced tab -> Scroll all the way down to "Security":

6. Prior to KB4019276 and registry manipulations, only "Use TLS 1.0" had been available on Vista; you should have already unchecked the older "Use SSL 2.0/3.0" options, to avoid being targeted by "POODLE" attacks; uncheck "Use TLS 1.0" (optionally also "Use TLS 1.1") and check "Use TLS 1.2".

7. Click Apply, OK, then exit IE9.

8. Upon restarting IE9, you'll find you can now visit all those sites that previously would not load due to unsupported TLS protocols: