Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS) are protocols which use cryptographic algorithms to secure the communication between 2 entities. It is just a secure layer running on top of HTTP.

           

SSL Handshake Protocol

SSL Change Cipher Spec Protocol

SSL Alert Protocol

HTTP

SSL Record Protocol

TCP

IP

                     
        Overview of SSL Protocol Stack

        Several versions of SSL have been released after its advent in 1995 (SSL 2.0 by Netscape communications, SSL 1.0 was never released). Here is the list:  

  • SSL 1.0, 2.0 and 3.0
  • TLS 1.0 (or SSL 3.1, released in 1999)
  • TLS 1.1 (or SSL 3.2, released in 2006)
  • TLS 1.2 (or SSL 3.3, released in 2008)

        SSL was changed to TLS when it was handed over to IETF for standardizing the security protocol layer in 1999. After making few changes to SSL 3.0, IETF released TLS 1.0. TLS 1.0 is being used by several web servers and browsers till date. What I have never understood, is there have been newer versions released after this, with the latest being TLS 1.2 released in 2008.

        However, in spite of the newer versions the internet industry continues to use the decade long old protocol TLS 1.0. What is more shocking is that there are few web servers out there which still support, SSL 2.0. Now, someone should seriously consider blocking these protocols on server side.

        Now let’s come to the point, on Windows the support for SSL/TLS protocols is tied to the SCHANNEL component. So, if a specific OS version doesn’t support a SSL/TLS version, this means it remains unsupported.

All the windows components/applications abide by this rule and can support only those protocols which are supported at the OS level. For e.g.: IIS and Internet Explorer.

Below table should give you a good understanding of what protocols are supported on Windows OS.     

Windows OS Version

SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2
Windows XP & Windows Server 2003
Windows Vista & Windows Server 2008

Windows 7 & Windows Server 2008 R2
Windows 8 & Windows Server 2012

Table depicting support for various SSL/TLS versions on different Windows OS

          
      
So Windows 7 and Windows server 2008 R2 are the only 2 operating systems out there which include support for TLS 1.1 and TLS 1.2. These are not enabled by default and should be enabled via registry.

       You could cross-check this yourself. Open IE 8 or IE 9 on any of the Operating systems listed above. In IE, go to Tools menu -> Internet Options -> Advanced. Scroll to the bottom i.e., to the Security section. You would see the list of SSL protocols supported by IE. Now one thing you should remember is IE supports only those security protocol versions, which is supported by the underlying SCHANNEL component of the OS.

       So if you are running IE 9 on Windows Server 2008 and Windows Server 2008 r2, then you could quickly check this all by yourself. Below is a snapshot from my machine running IE 9 on Windows 7.

clip_image001
Supported SSL protocols under “Advanced” tab of IE 9 on Windows 7

        However, not all the browsers or applications rely on SCHANNEL component. Among the browsers, Opera (version 10 forth) and Internet Explorer are the only 2, which provide support for TLS 1.1 and TLS 1.2 protocols. Chrome, Safari and Firefox continue to provide support for decade old security protocols. Whatsoever happened to being updated to the latest industry standards, especially security protocols?

        Among web servers again, IIS 7.5 is the only which supports TLS 1.1 and TLS 1.2. As of now Apache doesn’t support these protocols as OPENSSL doesn’t include support for them. Hopefully, they’ll catch up to the industries new standards.

Hope you find this information helpful. Please let me know if you find any discrepancies.