Embedded Terminal
      Back to home
      1. Knowledge Base
      2. SAFEQ 5, 6, and Managed
      3. Embedded Terminal

      How to Disable SSL 3.0/TLS 1.0 and Allow only TLS 1.1/TLS 1.2 for Terminal Server

      Enhancing security, the customer aims to enforce TLS 1.1 and 1.2 for MFD-YSoft SafeQ communication.

      Applies to YSoft SafeQ 5 and YSoft SafeQ 6.

      Summary:

      The customer seeks enhanced security by mandating TLS 1.1 and 1.2 for MFD-YSoft SafeQ communication.

      For incoming connections to YSoft SafeQ Terminal Server, the security protocol is inherited from operating system settings. Terminal Server binds to the lowest supported security protocol within the system.

      Regarding outgoing connections from YSoft SafeQ Terminal Server, the security protocol relies on various factors (like operating system, .Net version). The required version can be configured using the system parameter securityProtocolTypesForOutboundCommunication.

      Resolution:

      1. To force Terminal Server to use TLS 1.1/TLS1.2 for outgoing connections (e.g. when connecting to the MFD), change the value of parameter securityProtocolTypesForOutboundCommunication (expert view within System Settings on the YSoft SafeQ management interface) to: Tls11, Tls12
      2. To force Terminal Server to allow only security protocol TLS 1.1/TLS 1.2 for incoming connections it is necessary to update operating system configuration. See below instructions on how to do it:
        1. Create TLS.reg file with the following content below
        2. Upload the file to the server where an affected Terminal Server runs

        3. Restart the server where the file was applied
          Note: we recommend to review this change with the administrator of the customer, the change in the registry might be overridden for example by the domain policy

          tls.reg 
          Windows Registry Editor Version 5.00

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

          "Enabled"=dword:00000000

          "DisabledByDefault"=dword:00000001

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

          "Enabled"=dword:00000000

          "DisabledByDefault"=dword:00000001

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

          "Enabled"=dword:00000001

          "DisabledByDefault"=dword:00000000

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

          "Enabled"=dword:00000001

          "DisabledByDefault"=dword:00000000

      The additional information for other YSoft SafeQ components can be found in the documentation.