Overview
With Windows Server 2022, System Administrators have the option to enable TLS1.3 & use QUIC for HTTP/3 protocols. The benefits are that it is more secure that older versions of TLS, and the handshake requires fewer round trips to reduce latency. You can enable TLS1.3 & QUIC on your Server 2022 machine by following the instructions below.
Prerequisites
To take advantage of TLS1.3 & QUIC, you must have a SSL Certificate, and an open Port 443 using UDP for inbound traffic.
Step 1.
Open notepad and enter the information below:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"EnableHttp3"=dword:00000001
"EnableAltSvc"=dword:00000001
Step 2.
Save the file with a ".reg" extension, like TLS1.3.reg.
Step 3.
Double click the Registry file to run it. After it has been added you can open Registry Editor and navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3" to verify the new records show up.
Step 4.
Open PowerShell as Administrator and run the commands below to enable the following Cipher Suites:
Enable-TlsCipherSuite -Name TLS_CHACHA20_POLY1305_SHA256 -Position 0
Enable-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Enable-TlsCipherSuite -Name TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Step 5.
Open IIS, Select the Web Site, then click HTTP Response Headers. Add a new response header:
Name: alt-svc
Value: h3=":443";
Step 6.
Inside IIS go to Default Web Site, then open Bindings for Port 443. Make sure to check "Disable Legacy TLS" and click OK.
Step 7.
Reboot the Server
Step 8.
With Firefox, open the Web Developer Tools, then right click a column name and add "Protocol". Navigate the browser to the Login Page and you should start to see traffic coming through as Protocol "HTTP/3".
Comments
0 comments
Please sign in to leave a comment.