Enhancing security, the customer aims to enforce TLS 1.1 and 1.2 for MFD-YSoft SAFEQ communication.
Applies to YSoft SAFEQ 5 and YSoft SAFEQ 6.
The customer wants to improve security by enforcing TLS 1.1 and 1.2 for the communication between the MFD and YSoft SAFEQ.
The security protocol for incoming connections to YSoft SAFEQ Terminal Server is inherited from the settings of the operating system. Terminal Server binds the lowest support security protocol allowed in the system.
The security protocol for outgoing connections from YSoft SafeQ Terminal Server is based on multiple factors (such as operating system, .Net version), and the required version can be set using a system parameter securityProtocolTypesForOutboundCommunication .
The cipher suites for outgoing connection from YSoft SAFEQ Terminal Server are based on multiple factors (such as Windows Schannel and .Net version), and they cannot be changed by configuration in YSoft SAFEQ.
Resolution:
- To force Terminal Server to use TLS 1.1/TLS1.2 for outgoing connections (e.g. when connecting to the MFD), change the value of parameter securityProtocolTypesForOutboundCommunication (expert view within System Settings on the YSoft SafeQ management interface) to: Tls11, Tls12
- To force the Terminal Server to allow only security protocol TLS 1.1/TLS 1.2 for incoming connections it is necessary to update operating system configuration. See below for instructions on how to do it:
- Create a TLS.reg file with the following content below
- Upload the file to the server where an affected Terminal Server runs
-
Restart the server where the file was applied
tls.reg
Note: we recommend to review this change with the administrator of the customer, the change in the registry might be overridden for example by the domain policyWindows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000
The additional information for other YSoft SAFEQ components can be found in the documentation.