Transport Layer Security (TLS) 1.0 is a cryptographic protocol that is used to establish a secure communications channel between two systems. A number of vulnerabilities in TLS 1.0 have been uncovered, so you may want to disable it in your Enterprise Vault (EV) 12.x environment and migrate to a later version of TLS — notably TLS 1.1 and TLS 1.2. This article describes how to disable TLS 1.0, but it also explains the consequences of doing so: some Enterprise Vault functionality may not work as expected after you disable TLS 1.0.
Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes.
How to disable TLS 1.0
- On the Enterprise Vault server, open the Registry Editor.
Create the following subkey, if it does not already exist:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\ServerUnder the
Serversubkey, create the following entries:Name Type Value DisabledByDefault DWORD 1 Enabled DWORD 0
How disabling TLS 1.0 may affect some Enterprise Vault functionality
You may need to take additional steps to ensure that all Enterprise Vault functionality continues to work as expected, after you disable the TLS 1.0 protocol.
Note: Weak protocols and ciphers are blocked in EV version 12.4 and later. For more information refer to the Weak protocols and ciphers are blocked section of the Upgrade Instructions document.
User access through the Enterprise Vault Outlook Add-In for Windows and Client for Mac OS X
After you disable TLS 1.0, users cannot use either of the following to access their archived items:
- The Enterprise Vault Outlook Add-In on computers that are running Windows 7 Original Release. To restore access, encourage any affected users to upgrade to Windows 7 Service Pack 1 and its latest updates.
- The Enterprise Vault Client for Mac OS X. Veritas is currently investigating this issue, which may be resolved in a future version of the software.
To ensure that Windows users can continue to access Enterprise Vault through the Outlook Add-In and browser-based facilities like Enterprise Vault Search, they must check that TLS 1.1 and TLS 1.2 are enabled in Internet Explorer.
To check that TLS 1.1 and TLS 1.2 are enabled
- On the user's computer, open Internet Explorer.
- On the Tools menu, click Internet Options.
- Click the Advanced tab.
- Browse to the Security settings.
- Ensure that both Use TLS 1.1 and Use TLS 1.2 are selected.
Enterprise Vault facilities that use WinHTTP
After you disable TLS 1.0, issues can arise with several Enterprise Vault facilities that use Microsoft Windows HTTP Services (WinHTTP). For example:
- Users with Vault Caches may be unable to access the items in them.
- OWA 2010 users may be unable to open or restore archived items, or archive items manually.
On any computer where these issues arise, you can resolve them by ensuring that both TLS 1.1 and TLS 1.2 are fully supported and enabled by default. For instructions on how to do this, see the following article on the Microsoft site:
https://support.microsoft.com/KB/3140245
For example, to specify TLS 1.1 and TLS 1.2 as default secure protocols on the affected computer, assign the value 0x00000A00 to the registry entry DefaultSecureProtocols under the following subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
.NET 4.5.2-based applications
.NET 4.5.2-based applications that access the Enterprise Vault virtual directories in Internet Information Services (IIS) may be unable to do so after you disable TLS 1.0. One example of such an application is the sample search application in the Archive Discovery Search Service (ADSS) SDK. However, you may have other, third-party applications that access these virtual directories. You can restore access by setting the registry entry SchUseStrongCrypto on the computer where you have installed the .NET application.
To set the SchUseStrongCrypto registry entry
- On the computer where you have installed the .NET 4.5.2-based application, open the Registry Editor.
Navigate to the following subkey:
- For 32-bit .NET Framework:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 - For 64-bit .NET Framework:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
- For 32-bit .NET Framework:
- Under the
v4.0.30319subkey, create a DWORD entry calledSchUseStrongCryptoand give it a value of1.
Enterprise Vault and SQL Server on the same computer
For security reasons, we strongly recommend that you do not install Enterprise Vault and SQL Server on the same computer. However, if you do want to do this, it is important to note that connectivity issues can arise between the two after you disable TLS 1.0. To resolve these issues, you may need to re-enable TLS 1.0 by removing the registry entries with which you disabled it.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.