I upgraded my Windows server from 2016 to 2022. One of the reasons was to get support for TLS 1.3
After the painless in-place upgrade process I tested my web sites and still didn't get any TLS 1.3 connections even though I knew it was possible and I tested it on a fresh install of Server 2022.
Previously I did some extensive changes to the TLS protocols and ciphers to disable TLS 1.0 and 1.1 among other things.
I used the tool IISCrypt rather than editing the registry directly. But it doesn't support Server 2022 with TLS 1.3 yet.
Most related settings are in the registry at:
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
on a fresh server all the sub-keys are empty, meaning some defaults are used. But on mine, I had many ciphers, hashes and protocols disabled.
Also the keys for TLS 1.3 were missing completely, so I added them:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
but I still did not get any 1.3 connections.
Next I removed all the sub-keys and values under SCHANNEL, but that didn't help either.
I found a key: Functions
under
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
that lists all available cipher suites, but doesn't seem to reflect the order of them.
It turned out Microsoft only supports two cipher suites with TLS 1.3:
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
both of which I had disabled for some reason.
To see your cipther suites use:
Get-TlsCipherSuite | ft Name
I enabled them in IISCrypt and moved them to the top and after another reboot I finally had TLS 1.3 connections.
There is also a PowerShell cmdlet Enable-TlsCipherSuite
which allows us to enable and sort cipher suites, I will use that next time.
I now get many of the following events (36874) in the System event log:
An TLS 1.2 connection request was received from a remote client application,
but none of the cipher suites supported by the client application are supported by the server.
The TLS connection request has failed.
so some client, most likely a minor search bot failed to connect, I don't think I can find out when cipher suites it supported.
It may actaully be myself by using sslyze.exe or ssllabs.com to check my sites, those tools will try all kind of cipher suites.