Recommended registry changes for TLS 1.2

Alerts and notices
Leave feedback

Contact information (optional):

Leave this blank:

Please tell us how we can make this information more helpful.


Characters left:

GoFileRoom is updated to use TLS 1.2. See User Bulletin 8571 for more detailed information on this change.

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are protocols that provide for secure communications. Active Directory Federation Services uses these protocols for communications. Today several versions of these protocols exist.

Schannel is a Security Support Provider (SSP) that implements the SSL, TLS and DTLS Internet standard authentication protocols. The Security Support Provider Interface (SSPI) is an API used by Windows systems to perform security-related functions including authentication.

This topic outlines the list of registries that need to be updated if errors are encountered on Windows 7 machines due to TLS 1.2 changes made on GoFileRoom.

Thomson Reuters recommends having a qualified technician make registry changes as problems with the registry can cause serious problems with the operating system. It is also recommended that you backup the registry before making changes to it.

Steps to update TLS

  1. Navigate to Run.
  2. Type Regedit and click OK. Show me
    Regedit

    Note: If prompted by User Account Control to allow this program to make changes, click Yes.

  3. Registry editor will open. 
  4. All of the registries below need to be validated and updated, if required.
    • To add a key or value in Registry Editor, after the original registry has been backed up or exported, right-click on the appropriate location and select New, then select either Key or DWORD value as needed.
    • To edit an existing value in Registry Editor, after the original registry has been backed up or exported, right-click on the name and select Modify.
    • For more information on Windows registry items, see Windows registry information for advanced usersExternal link. (What's this?)
      This icon appears alongside links to resources that are not developed or maintained by Thomson Reuters. We provide access to these resources for your convenience, but we are not responsible for their accuracy. If you need additional assistance, please consult your qualified technician and/or the vendor who developed the resource.

Internet Explorer security zones registry entries

  1. Search for the following registry:  HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
    1. Validate if the registry file has the following DWORD with DefaultSecureProtocols: "DefaultSecureProtocols"=dword:00000a80
    2. If this is not present, create DWORD32 value having the name "DefaultSecureProtocols" and the value should be "00000a80".
  2. Search for the following registry:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
    1. Validate if the registry file has the following DWORD with DefaultSecureProtocols: "DefaultSecureProtocols"=dword:00000a80
    2. If this is not present, create DWORD32 value having the name "DefaultSecureProtocols" and the value should be "00000a80".

Security Protocols registry entries

The below registry updates enables the system to accept TLS 1.2, 1.1, and SSL respectively.

TLS 1.2 Registry entries

Compare the client system registries with the below mentioned ones. If they do not exist, please create the same.

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
    • "Enabled"=dword:ffffffff
    • "DisabledByDefault"=dword:00000000
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
    • "Enabled"=dword:ffffffff
    • "DisabledByDefault"=dword:00000000

TLS 1.1 Registry entries

Compare the client system registries with the below mentioned ones. If they do not exist, please create the same.

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
    • "Enabled"=dword:ffffffff
    • "DisabledByDefault"=dword:00000000
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
    • "Enabled"=dword:ffffffff
    • "DisabledByDefault"=dword:00000000

SSL Registry changes

In Microsoft Office 2010, SSL3 is enabled by default. Change the value to 0 as below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL3

"DisabledByDefault"=dword:00000000

Systems without the GoFileRoom Client Add-In

Systems that interact with GoFileRoom without the Client Add-In, including machines with only Upload Document Service installed, will require registry changes to accommodate TLS 1.2 security.

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    • "SchUseStrongCrypto"=dword:00000001
  2. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
    • "SchUseStrongCrypto"=dword:00000001

    Note: To remove these entries, update "SchUseStrongCrypto"=-.