ID:	7550	Fixed in:
Issue Date:	2021-03-08 20:24 AEST	Owner:	CVS Support
Last Modified:	2021-03-18 21:28 AEST	Reporter:	Arthur Barrett
Current Est.	0.0 hours	% Complete:	0.0
Status:	NEW /	Severity:	normal

Affected:	2.8.01
Description:	win: sspi with Schannel, how to restrict to TLS 1.2

Actions:

2021-03-08 20:24 AEST by Arthur Barrett - More customers are wanting to disable TLS 1.0 and 1.1

If the windows server running CVSNT Server Service disables these 'server' protocols in the registry, does the 
CVSNT client now auto-negotiate TLS 1.1 OK?
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

Is the negotiated protocol logged?

Is there a CVSNT specific way of controlling the allowed protocols?  I think 'Schannel' enable checkbox on the 
server is too wide - we need to be able to use Schannel, but only TLS 1.2 or higher.

Is Schannel used for SSPI even if it is not enabled but 'SSPI Negotiate Support' is enabled?

2021-03-18 21:28 AEST by Arthur Barrett - This is very much related to bug 7039: win: enh: SSPI/Schannel should avoid use of weak encryption

Query page