XS1: Disabling TLS 1.0 and 1.1 on XS1 Application Server
The XS1 application needs to be updated to disable TLS 1.0 and 1.1 via the Java.security file, then the Windows Registry on the application server must also be updated to disable TLS 1.0 and 1.1.
1. Disable TLS 1.0 and 1.1 in the applications JAVA.SECURITY file.
The ?jdk.tls.disabledAlgorithms? property in the ?C:\xs1\libraries\Java\jdk-11\conf\security\java.security? file in the application server.
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
# rsa_pkcs1_sha1, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
2. Disable TLS 1.0 and 1.1 in the windows registry.
The Steps to disable TLS 1.0 and TLS 1.1 are as follows: - Input ?regedit? in Run, which will open the Registry Editor
- Go to HKEY_LOCAL\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
- If you don?t see TLS 1.0 and Client/Server subkeys, please create them.
Right-click on ?Protocols?, Select New > Key, and enter ?TLS 1.0? as the key - Right-click on ?TLS 1.0?, Select New > Key, and enter ?Client? as the key
- Right-click on ?TLS 1.0?, Select New > Key, and enter ?Server? as the key
- Select the Client key, and Right-click an empty space on the Right-Pane to select New > DWORD(32-bit) Value, and enter ?Enabled? as the DWORD?s title, modify the value of it to 0.
- Select the Client key, and Right-click an empty space on the Right-Pane to select New > DWORD(32-bit) Value, and enter ?DisabledByDefault? as the DWORD?s title, modify the value of it to 1.
- Select the Server key, and Right-click an empty space on the Right-Pane to select New > DWORD(32-bit) Value, and enter ?Enabled? as the DWORD?s title, modify the value of it to 0.
- Select the Server key, and Right-click an empty space on the Right-Pane to select New > DWORD(32-bit) Value, and enter ?DisabledByDefault? as the DWORD?s title, modify the value of it to 1.
- If you don?t see TLS 1.1 and Client/Server subkeys, please create them.
Right-click on ?Protocols?, Select New > Key, and enter ?TLS 1.1? as the key - Right-click on ?TLS 1.1?, Select New > Key, and enter ?Client? as the key
- Right-click on ?TLS 1.1?, Select New > Key, and enter ?Server? as the key
- Select the Client key, and Right-click an empty space on the Right-Pane to select New > DWORD(32-bit) Value, and enter ?Enabled? as the DWORD?s title, modify the value of it to 0.
- Select the Client key, and Right-click an empty space on the Right-Pane to select New > DWORD(32-bit) Value, and enter ?DisabledByDefault? as the DWORD?s title, modify the value of it to 1.
- Select the Server key, and Right-click an empty space on the Right-Pane to select New > DWORD(32-bit) Value, and enter ?Enabled? as the DWORD?s title, modify the value of it to 0.
- Select the Server key, and Right-click an empty space on the Right-Pane to select New > DWORD(32-bit) Value, and enter ?DisabledByDefault? as the DWORD?s title, modify the value of it to 1.
Screenshot example of the required changes for TLS 1.1 below for reference:
Once updated the application server and XS1 services both need to restarted.
If you are unable to locate the solution needed or if you need additional assistance, please Click Here to open a case from our Customer Care Portal.