Introduction

With the PCI Security Standards Council's move to Transport Layer Security (TLS) 1.2 on the 30th of June, 2018, various 3rd-party providers are disabling the use of older TLS and SSL protocol versions in their products. 

K2 integrates with many 3rd-party providers such as Microsoft SharePoint, DocuSign, and SalesForce. With the PCI move to TLS 1.2, when a K2 solution is integrated with any of these providers, and the system in which K2 resides is NOT configured for TLS 1.2, possible communication errors may occur.

Configuring TLS 1.2

K2 follows the Transport Layer Security (TLS) best practices with the .NET Framework (Microsoft), and does not specify a TLS or SSL version. K2 runs under the .Net 4.6 runtime, which fully supports TLS 1.2, for both server (inbound) and client (outbound) connections.

If the server on which K2 is installed is not correctly configured for TLS 1.2, errors may occur. Below is an example of an error that may occur when TLS 1.2 is not configured correctly:
The underlying connection was closed. An unexpected error occurred on a send.
Image

To avoid these issues you have two options:

  • Minimum Requirement: Make sure that the K2 server can communicate with other services that only allow TLS 1.2
  • Maximum Protection: Force the entire server to only allow TLS 1.2 connections so that incoming and outgoing connections use this higher level of security
These changes are .NET and system-specific settings and affect all .NET applications on the server, not just those in and out of K2. Be sure to test these changes in a non-production environment after making them so that you don't unexpectedly break other systems that may not support TLS 1.2.

Minimum Requirement

To implement the minimum requirement,  add or edit the following keys in your K2 server's registry.

Editing the registry incorrectly can cause system instability or crashes. You should back up the registry before making any changes, and you should be familiar with editing the registry before adding or modifying these keys.

Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
Value SchUseStrongCrypto
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
Value SchUseStrongCrypto
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value Enabled
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value Enabled
Data Type DWORD
Data 00000001

Maximum Protection

To implement the maximum protection for all .NET apps on the K2 server, including K2, add or edit the following keys in your K2 server's registry.

Editing the registry incorrectly can cause system instability or crashes. You should back up the registry before making any changes, and you should be familiar with editing the registry before adding or modifying these keys.

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
Value Enabled
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
Value Enabled
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
Value Enabled
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
Value Enabled
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
Value Enabled
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
Value Enabled
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value Enabled
Data Type DWORD
Data 00000001

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000000

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value Enabled
Data Type DWORD
Data 00000001