Embedded Terminal
      Back to home
      1. Knowledge Base
      2. SAFEQ 5, 6, and Managed
      3. Embedded Terminal

      How to Disable SSL 3.0/TLS 1.0 and Allow only TLS 1.1/TLS 1.2 for Terminal Server

      Enhancing security, the customer aims to enforce TLS 1.1 and 1.2 for MFD-YSoft SafeQ communication.

      Applies to YSoft SafeQ 5 and YSoft SafeQ 6.

      The customer wants to improve security by enforcing the TLS 1.1 and 1.2 for the communication between the MFD and YSoft SafeQ.


      The security protocol for incoming connections to YSoft SafeQ Terminal Server is inherited from the settings of the operating system. Terminal Server binds the lowest support security protocol allowed in the system.

      The security protocol for outgoing connections from YSoft SafeQ Terminal Server is based on multiple factors (such as operating system, .Net version) and required version can be set using a system parameter securityProtocolTypesForOutboundCommunication .

      Resolution:

      1. To force Terminal Server to use TLS 1.1/TLS1.2 for outgoing connections (e.g. when connecting to the MFD), change the value of parameter securityProtocolTypesForOutboundCommunication (expert view within System Settings on the YSoft SafeQ management interface) to: Tls11, Tls12
      2. To force Terminal Server to allow only security protocol TLS 1.1/TLS 1.2 for incoming connections it is necessary to update operating system configuration. See below instructions on how to do it:
        1. Create TLS.reg file with the following content below
        2. Upload the file to the server where an affected Terminal Server runs

        3. Restart the server where the file was applied
          Note: we recommend to review this change with the administrator of the customer, the change in the registry might be overridden for example by the domain policy

          tls.reg 
          Windows Registry Editor Version 5.00

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

          "Enabled"=dword:00000000

          "DisabledByDefault"=dword:00000001

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

          "Enabled"=dword:00000000

          "DisabledByDefault"=dword:00000001

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

          "Enabled"=dword:00000001

          "DisabledByDefault"=dword:00000000

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

          "Enabled"=dword:00000001

          "DisabledByDefault"=dword:00000000

      The additional information for other YSoft SafeQ components can be found in the documentation.