Configuring cryptographic protocols for communication with terminals

Description

It is possible to modify the list of cryptographic protocols for encrypted communication  used by the Terminal Server.

The Terminal Server can be set to use the following versions of  the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol:  SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2.   If any of the protocol versions is not present in the list, the Terminal Server will not communicate with the terminals that only support the removed versions.

In order to work properly, the list must contain the consecutive versions. I.e. specification of only one version is correct, SSL 3.0 + TLS 1.0 or TLS 1.0 + TLS 1.1 + TLS 1.2 are both the correct lists, but TLS 1.0 + TLS 1.2 is not.

Inbound connection

The SSL/TLS protocol versions supported on the Terminal Server for inbound connections (e.g. user login on a terminal) are fully dependent on the underlying operating system. They can be specified in the Windows Server registry:

  1. Create tls.reg file with the following content:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    "Enabled"=dword:00000000
    "DisabledByDefault"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    "Enabled"=dword:00000000
    "DisabledByDefault"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000

    These values will disable support for SSLv3 and TLSv1.0 and enable TLSv1.1 and TLSv1.2. Of course, you can modify them before proceeding to the next step according to your requirements.

  2. Open this file in the machine with running Terminal Server. Windows should automatically create the given registry keys.

  3. Restart the machine with Terminal Server.

Outbound connection

You can specify the list of the SSL/TLS protocol versions to be supported for Terminal Server outbound communication (e.g. terminal installation) in the YSoft SafeQ web interface. Go to the System settings (Expert options) and search for the property securityProtocolTypesForOutboundCommunication.

When the list is empty, the supported protocols are dependent on the used .NET version. In .NET 4.5 the only SSL/TLS protocol versions supported are SSL 3.0 and TLS 1.0. In .NET 4.6 and above, also TLS 1.1 and TLS 1.2 are enabled by default.

Protocols and algorithms not enabled in the underlying operating system cannot be used. The SSL/TLS protocol versions supported by the Terminal Server are the interception of the versions specified in the aforementioned property and the settings in the OS.

The Terminal Server has to be restarted once the property is modified.

Limitations

Older Windows servers contain weak implementation of TLS 1.2. This may cause failures in connection to YSoft Payment System, Konica Minolta devices and FujiXerox devices.