TLS 1.1 and 1.2 must be enabled and TLS1.2 must be selected as the default secure protocol on the FOS server for the new e-APIS REST connection.
Add support for TLS 1.1 & TLS 1.2 in Windows Server 2008
To run this update on Windows Server 2008, you must have Windows Server 2008 SP2 installed.
You must restart the computer after you apply these updates.
How to enable TLS 1.1 and TLS 1.2
Note For TLS 1.1 & 1.2 to be enabled and negotiated, you must create the DisabledByDefault
DWORD entry in the appropriate subkey (Client, Server), and then change the DWORD value to 0.
By default, this entry does not exist in the registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
TLS 1.2 subkey table
Subkey Description Default
Client Controls the use of TLS 1.2 on the client Enabled
Server Controls the use of TLS 1.2 on the server Enabled
DisabledByDefault Flag to disable TLS 1.2 by default Enabled
Set TLS 1.2 as the default secure protocol
Applications and services that are written by using WinHTTP for Secure Sockets Layer (SSL) connections can't use TLS 1.1 or TLS 1.2 protocols.
This update adds support for DefaultSecureProtocols registry entry that allows the system administrator to specify which SSL protocols should be used by default.
This can allow certain applications that were built to use the WinHTTP default flag to be able to leverage the newer TLS 1.2 or TLS 1.1 protocols natively without any need for updates to the application.
This update requires that the Secure Channel (SCHANNEL) component be configured to support TLS 1.1 and 1.2. As these protocol versions are not enabled by default in Windows 7 and Windows
2008, you must configure the registry settings to ensure applications can successfully use TLS 1.1 and 1.2.
This update will not change the behavior of applications that are manually setting the secureprotocols instead of passing the default flag.
The DefaultSecureProtocols registry entry can be added in the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\WinHttp
On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
The registry value is a DWORD bitmap.
DefaultSecureProtocols Value Protocol Enabled
0x00000008 Enable SSL 2.0 by default
0x00000020 Enable SSL 3.0 by default
0x00000080 Enable TLS 1.0 by default
0x00000200 Enable TLS 1.1 by default
0x00000800 Enable TLS 1.2 by default
For example:
The administrator wants to override the default values for
WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.
Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800), then add them together in calculator (in programmer mode), and the resulting registry value would be 0x00000A00.
References
https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi
https://docs.microsoft.com/en-us/security/solving-tls1-problem