Why Disable TLS 1.0


Transport Layer Security 1.0 (TLS 1.0) is a cryptographic protocol designed to provide secure communication between web browsers and servers. It is used in almost every app nowadays. Many IP-based protocols such as HTTPS, SMTP, POP3, and FTP support TLS. Disable TLS 1.0 is a critical task for security and compliance.


Currently, the most common versions of TLS (which is a type of security for internet connections) are TLS 1.0, TLS 1.1, and TLS 1.2. TLS 1.0 and TLS 1.1 are no longer considered safe to use because they have known security weaknesses. TLS 1.2, which is much safer, will also be outdated by 2023. Big companies like Apple, Google, Microsoft, and Mozilla, who make web browsers like Chrome, Edge, Internet Explorer, Firefox, and Safari, have said that they won’t support TLS 1.0 and TLS 1.1 anymore since the first half of 2020.


server hardening white paper


Disabling TLS 1.0 and TLS 1.1 can be a painful procedure. If you're reading this article, you probably already know it. Endless hours, labor, and money are invested in this process, which can often result in production breakdown despite the effort to prevent it. CHS by CalCom automates the entire server hardening process.


TLS Policy Description


Regulatory requirements and new security vulnerabilities on TLS 1.0 are leading organizations to disable TLS 1.0 across their IIS infrastructure. While it is no longer the default security protocol in modern OSes, it is in more veteran versions (Windows 7 and older). Therefore, removing TLS 1.0 is a complicated issue due to its dependencies.


Regulatory landscape to disable TLS 1.0:





TLS 1.0 and SSL Vulnerabilities: What You Need to Know

Potential TLS 1.0 Vulnerability


While exposing your organization to several vulnerabilities, one of the most critical is a man-in-the-middle attack. This attack risks the integrity and the authentication of data sent between a website and a browser. TLS 1.0 is also responsible for other prevalent TLS vulnerabilities including Heartbleed, POODLE, BEAST, and CRIME.

Risk of outdated TLS protocols


Using old TLS protocols means using encryption methods that are no longer recommended or supported. This can lead to extra work to maintain them and make products more expensive to upkeep. Besides this, there are other reasons to avoid old TLS protocols:


  • Using outdated TLS versions would force organizations to use outdated, vulnerable cipher suites and not support newer recommended cipher suits.
  • TLS 1.0 and 1.1 are vulnerable to downgrade attacks since they rely on SHA-1 hash for the integrity of exchanged messages. Even authentication of handshakes is done based on SHA-1, which makes it easier for an attacker to impersonate a server for MITM attacks. TLS 1.1 or below does not provide the option to select more robust hashing algorithms, which the newer protocols do.
  • Supporting older protocols drive up cost as all vulnerabilities need to be patched, libraries need to be supported, and the attack surface increases.



Dependencies on all security protocols older than TLS 1.2 be removed. TLS 1.0 must be disabled.


Potential Impact if You Disable TLS 1.0


Considering the fact that TLS 1.0 has been here for so long, it is highly recommended that its removal process will include the following procedures:

  1. Find and fix hardcoded instances of TLS 1.0.
  2. Scan and analyze end point traffic to identify OS using TLS 1.0.
  3. Test your entire application stack with TLS 1.0 disabled.
  4. Migrate legacy OSes and develop frameworks to versions capable of negotiating TLS 1.2.
  5. Test your OSes to identify any TLS 1.2 support issues.
  6. Notify and coordinate with your business partners your plans to neglect TLS 1.0.
  7. Map the clients that may no longer be able to connect your servers once you disable TLS 1.0.






Windows OS Value
Windows Vista Default
Windows Server 2008 Default
Windows 7 (WS2008 RS) Default
Windows 8 (WS2012) Enabled
Windows 8.1 (WS2012 RS) Enabled
Windows 10 Enabled
Windows Server 2016 Enabled
Windows Server 2019 Enabled
Windows Server 2022 Enabled- after latest patch-Internet explorer TLS 1.0 is disabled



Disable TLS 1.0 in all OSes.




It is better to disable legacy TLS versions directly through the registry. You can use the GPO to deploy registry parameters you need to domain computers.


In order to disable TLS 1.0 on Windows both for a client and a server, add the following options to the registry:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]


You can disable other protocols In the same way. It is enough to replace the highlighted path in the registry with SSL 2.0, SSL 3.0, TLS 1.1, etc.


To force enable TLS 1.2, add the registry entries below:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]


TLS 1.0 subkey table:


Client Controls the use of TLS 1.0 on the TLS client.
Server Controls the use of TLS 1.0 on the TLS server.


To disable TLS 1.0 for client or server, change the DWORD value to 0. If an SSPI app requests to use TLS 1.0, it will be denied.


To disable TLS 1.0 by default, create a DisabledByDefault entry and change the DWORD value to 1. If an SSPI app explicitly requests to use TLS 1.0, it may be negotiated.


TLS 1.0 is an outdated protocol with known vulnerabilities that can be exploited by attackers, leading to data breaches and compromised communications. Automating the process of disabling TLS 1.0 ensures consistent and swift implementation across all servers, reducing the risk of human error and ensuring compliance with industry standards and regulations.

You might be interested