How to enable tls internet explorer protocol. Error in Internet Explorer
When going to any government or service portal (for example, EIS), the user may suddenly encounter the error “It is not possible to securely connect to this page. The site may be using outdated or weak TLS security settings." This problem is quite common and has been observed for several years among various categories of users. Let's look at the essence of this error and the options for solving it.
As you know, the security of user connections to network resources is ensured through the use of SSL/TSL - cryptographic protocols responsible for the secure transmission of data on the Internet. They use symmetric and asymmetric encryption, message authentication codes and others special features, allowing you to maintain the confidentiality of your connection, preventing third parties from decrypting your session.
If, when connecting to a site, the browser detects that the resource uses incorrect SSL/TSL security protocol parameters, the user receives the above message, and access to the site may be blocked.
Quite often, the situation with the TLS protocol arises on the IE browser - a popular tool for working with special state portals associated with various forms of reporting. Working with such portals requires a browser. Internet Explorer, and it is here that the problem under consideration arises especially often.
The causes of the error “The site may be using outdated or insecure TLS security settings” may be as follows:
How to fix the dysfunction: Weak TLS security settings are being used
The solution to the problem may be the methods described below. But before describing them, I recommend that you simply restart your PC - no matter how trivial this method often proves to be quite effective.
If it doesn't help, then do the following:
- Temporarily disable your antivirus. In quite a few cases, the antivirus blocked access to unreliable (according to its assessment) sites. Temporarily disable antivirus program, or disable certificate checking in the antivirus settings (for example, “Do not check secure connections” on Kaspersky antivirus);
- Install the latest version of the CryptoPro program on your computer (in case of previous work with this program). An outdated version of the product may cause an error that the page is not securely connected;
- Change your IE settings. Go to “Browser Options”, select the “Security” tab, then click on “Trusted Sites” (the address of your portal should already be entered there, if not, then enter it). At the bottom, uncheck the “Enable Protected Mode” option.
Then click on the “Sites” button above, and uncheck the “For all sites in this zone...” option. Click “Ok” and try to go to the problematic site.
- Delete IE browser cookies. Launch the browser and press the Alt button to display the menu. Select the “Tools” tab - “Delete browser history”, check the box (if not present) on the option “ Cookies...”, then click on “Delete”;
- Disable the use of VPN programs (if any);
- Try using a different browser to navigate to the problematic resource (in case you are not required to use any specific browser);
- Check your PC for viruses (for example, the proven Doctor Web Curate will help);
- Disable the “Secure Boot” option in the BIOS. Despite the certain non-standard nature of this advice, it has helped more than one user get rid of the “outdated or unreliable TLS parameters” error.
Deactivate the “Secure Boot” option in the BIOS
Conclusion
The cause of the error “The site may be using outdated or unreliable TLS protocol security parameters” is quite often a local PC antivirus that, for certain reasons, blocks access to the desired Internet portal. If a problematic situation arises, it is recommended that you first disable your antivirus to make sure that it is not causing the problem in question. If the error continues to recur, then I recommend moving on to implementing other tips described below in order to solve the problem of unreliable TSL protocol security settings on your PC.
In October, Google engineers published information about a critical vulnerability in SSL version 3.0, which received a funny name POODLE(Padding Oracle On Downgraded Legacy Encryption or poodle 🙂). The vulnerability allows an attacker to gain access to information encrypted with the SSLv3 protocol using a “man in” attack the middle" Both servers and clients that can connect using the SSLv3 protocol are vulnerable to the vulnerability.
In general, the situation is not surprising, because... protocol SSL 3.0, first introduced back in 1996, is already 18 years old and is already morally outdated. In most practical tasks it has already been replaced by a cryptographic protocol TLS(versions 1.0, 1.1 and 1.2).
To protect against the POODLE vulnerability, it is recommended to fully disable SSLv3 support on both client side and server side and henceforth use only TLS. For legacy software users (such as those using IIS 6 on Windows XP), this means they will no longer be able to view HTTPS pages or use other SSL services. If SSLv3 support is not completely disabled and stronger encryption is offered by default, the POODLE vulnerability will still exist. This is due to the peculiarities of choosing and agreeing on the encryption protocol between the client and server, because If a problem is detected in the use of TLS, an automatic transition to SSL occurs.
We recommend that you check all your services that may use SSL/TLS in any form and disable SSLv3 support. You can check your web server for vulnerabilities using online test, for example, here: http://poodlebleed.com/.
Note. It must be clearly understood that disabling SSL v3 at the system-wide level will only work for software that uses system APIs for SSL encryption (Internet Explorer, IIS, SQL NLA, RRAS, etc.). Programs that use their own crypto tools (Firefox, Opera, etc.) need to be updated and configured individually.
Disabling SSLv3 in Windows at the system level
In OS Windows control support for SSL/TLS protocols is provided through the registry.
In this example we will show how to completely disable SSLv3 at the system level (both client and server level) in Windows Server 2012 R2:
Disable SSLv2 (Windows 2008 / Server and below)
OSes prior to Windows 7 / Windows Server 2008 R2 use an even less secure and outdated protocol by default SSL v2, which should also be disabled for security reasons (in more recent Windows versions, SSLv2 at the client level is disabled by default and only SSLv3 and TLS1.0 are used). To disable SSLv2, you need to repeat the procedure described above, only for the registry key SSL 2.0.
On Windows 2008/2012, SSLv2 is disabled at the client level by default.
Enable TLS 1.1 and TLS 1.2 in Windows Server 2008 R2 and higher
Windows Server 2008 R2 / Windows 7 and higher support TLS 1.1 and TLS 1.2 encryption algorithms, but these protocols are disabled by default. You can enable support for TLS 1.1 and TLS 1.2 in these versions of Windows using a similar scenario
A utility for managing system cryptographic protocols in Windows Server
Exists free utility IIS Crypto, which allows you to conveniently manage the parameters of cryptographic protocols in Windows Server 2003, 2008 and 2012. Using this utility, you can enable or disable any of the encryption protocols in just two clicks.
The program already has several templates that allow you to quickly apply presets for various options security settings.
If you are encountering an issue where access to a specific site is failing and a message appears in your browser, there is a reasonable explanation for this. The causes and solutions to the problem are given in this article.
SSL TLS protocol
Users of budgetary organizations, and not only budgetary ones, whose activities are directly related to finance, in interaction with financial organizations, for example, the Ministry of Finance, the Treasury, etc., conduct all their operations exclusively using the secure SSL protocol. Basically, in their work they use the Internet Explorer browser. In some cases - Mozilla Firefox.
SSL Error
The main attention when carrying out these operations, and work in general, is paid to the security system: certificates, electronic signatures. Used for work software CryptoPro current version. Regarding problems with SSL and TLS protocols, If SSL error appeared, most likely there is no support for this protocol.
TLS error
TLS error in many cases it can also indicate a lack of protocol support. But... let's see what can be done in this case.
SSL and TLS protocol support
So, when using Microsoft Internet Explorer, to visit an SSL-secured website, the title bar displays Make sure ssl and tls protocols are enabled. First of all, you need to enable support for the TLS 1.0 protocol in Internet Explorer.
If you are visiting a website running Internet Information Services 4.0 or higher, Internet setup Explorer's TLS 1.0 support helps secure your connection. Of course, provided that the remote web server you are trying to use supports this protocol.
To do this in the menu Service select team Internet Options.
On the tab Additionally in section Safety, make sure the following checkboxes are selected:
- Use SSL 2.0
- Use SSL 3.0
- Use SSL 1.0
Click the button Apply and then OK . Restart your browser .
After enabling TLS 1.0, try visiting the website again.
System Security Policy
If they still occur errors with SSL and TLS If you still can't use SSL, the remote web server probably doesn't support TLS 1.0. In this case, you must disable the system policy that requires FIPS-compliant algorithms.
To do this, in Control panels select Administration, and then double-click Local Security Policy.
In Local Security Settings, expand Local policies and then click the button Security Settings.
According to the policy on the right side of the window, double click System cryptography: use FIPS-compliant algorithms for encryption, hashing and signing and then click the button Disabled.
Attention!
The change takes effect when the local security policy is reapplied. Turn it on and restart your browser.
CryptoPro TLS SSL
Update CryptoPro
One of the options to solve the problem is to update CryptoPro, as well as configure the resource. IN in this case, this is working with electronic payments. Go to Certification Authority. Select Electronic Marketplaces as the resource.
After launch automatic settings workplace, there will only be wait for the procedure to complete, after which reload browser. If you need to enter or select a resource address, select the one you need. You may also need to restart your computer when setup is complete.
This error code usually appears on the screen when you go to a service or government website. A striking example is the official EIS portal. It is possible that the failure was caused by outdated or insecure TSL protocol parameters. This is a very common problem. Users encounter it over a long period of time. Now let’s figure out what exactly caused this error and how to fix it.
The security of the connection to the website is ensured by using special encryption protocols – SSL and TSL. They provide security for the transmission of information. The protocols are built on the use of symmetric and asymmetric encryption tools. Message authentication codes and other options are also used. Taken together, these measures make it possible to maintain the anonymity of the connection, so third parties are deprived of the opportunity to decrypt the session.
When an error appears in the browser indicating problems with the TSL protocol, this means that the website is using incorrect parameters. Therefore, the connection is truly not secure. Access to the portal is automatically blocked.
Most often, users working through the Internet Explorer browser encounter this error. There are several reasons for this failure, namely:
- the antivirus blocks the connection to the website;
- the version of the CryptoPro utility is outdated;
- connection to the portal is carried out via VPN;
- incorrect Internet Explorer browser settings;
- the “SecureBoot” function is activated in the BIOS;
- There are infected files and viruses on the computer.
We have figured out the reasons for the error. It's time to analyze possible ways solving the problem.
Instructions for troubleshooting
If the error has not disappeared, then it’s time to try alternative methods:
Practice shows that each of the tips listed can eliminate the problem. So just follow the instructions.
Conclusion
Experts claim that the subject in question software glitch appears due to the antivirus installed on the user’s computer. For some reason the program is blocking access to the website. Therefore, first simply disable the antivirus and change the certificate verification settings. It is likely that this will solve the problem. If the error persists, then try each of the tips suggested above. As a result, the security problem of the TSL protocol will be absolutely solved.
All our arguments are based on the fact that the operating system is Windows XP or later (Vista, 7 or 8), on which all the appropriate updates and patches have been installed. Now there is one more condition: we are talking about the latest versions of browsers, and not “spherical Ognelis in a vacuum.”
So, let's configure browsers to use current versions TLS protocol and not using its outdated versions and SSL at all. At least, as far as possible in theory.
And the theory tells us that although Internet Explorer supports TLS 1.1 and 1.2 already from version 8, under Windows XP and Vista we will not force it to do so. Click: Tools/Internet Options/Advanced and in the “Security” section we find: SSL 2.0, SSL 3.0, TLS 1.0... did you find anything else? Congratulations, you will have TLS 1.1/1.2! If they didn’t find it, you have Windows XP or Vista, and in Redmond they consider you retarded.
So, uncheck all SSL boxes, check all available TLS boxes. If only TLS 1.0 is available, then so be it; if more current versions are available, it is better to select only them, and uncheck TLS 1.0 (and not be surprised later that some sites do not open over HTTPS). Then click the “Apply” and “OK” buttons.
It’s easier with Opera - it arranges for us a real banquet of different versions protocols: Tools/General Settings/Advanced/Security/Protocol Security. What do we see? The whole set, from which we leave the checkboxes only for TLS 1.1 and TLS 1.2, after which we click the “Details” button and there we uncheck all the lines except those that start with “256 bit AES” - they are at the very end. At the beginning of the list there is a line “256 bit AES ( Anonymous DH/SHA-256), uncheck it too. Click “OK” and rejoice in security.
However, Opera has one strange property: if TLS 1.0 is enabled, then if it is necessary to establish a secure connection, it immediately uses this version of the protocol, regardless of whether the site supports more current ones. Like, why bother – everything is fine, everything is protected. When only TLS 1.1 and 1.2 are enabled, the more advanced version will be attempted first, and only if it is not supported by the site will the browser switch to version 1.1.
But the spherical Ognelis Firefox will not please us at all: Tools/Settings/Advanced/Encryption: all we can do is disable SSL, TLS is available only in version 1.0, there is nothing to do - we leave it with a tick.
However, the worst is learned by comparison: Chrome and Safari do not contain settings at all for which encryption protocol to use. As far as we know, Safari does not support TLS versions more current than 1.0 in versions for Windows OS, and since the release of new versions for this OS has been discontinued, it will not be.
Chrome, as far as we know, supports TLS 1.1, but, as in the case of Safari, we cannot refuse the use of SSL. There is no way to disable TLS 1.0 in Chrome. But with the actual use of TLS 1.1 there is a big question: it was first turned on, then turned off due to operational problems and, as far as one can judge, has not yet been turned back on. That is, there seems to be support, but it seems to be turned off, and there is no way for the user to turn it back on. The same story is with Firefox - it actually has support for TLS 1.1, but it is not yet available to the user.
Summary from the above multiletter. What are the general dangers of using outdated versions of encryption protocols? The fact that someone else will get into your secure connection to the site and gain access to all the information “there” and “there”. In practical terms, he will have full access to the mailbox. email, account in the client-bank system, etc.
It is unlikely that you will accidentally break into someone else's secure connection; we are only talking about malicious actions. If the likelihood of such actions is low, or the information transmitted over a secure connection is not particularly valuable, then you don’t have to bother and use browsers that only support TLS 1.0.
IN otherwise– there is no choice: only Opera and only TLS 1.2 (TLS 1.1 is just an improvement of TLS 1.0, partially inheriting its security problems). However, our favorite sites may not support TLS 1.2 :(
