<{{Subtitle_Weight}} class="prominent-subhead {{Show_Subtitle}}"> {{Header_Subtitle}}

K2 and TLS 1.2 Support

~~repeating-content.html~~

Introduction

With the PCI Security Standards Council's move to Transport Layer Security (TLS) 1.2 on the 30th of June, 2018, various 3rd-party providers are disabling the use of older TLS and SSL protocol versions in their products. 

K2 integrates with many 3rd-party providers such as Microsoft SharePoint, DocuSign, and SalesForce. With the PCI move to TLS 1.2, when a K2 solution is integrated with these providers and the system in which K2 resides is NOT configured for TLS 1.2, possible communication errors may occur.

Configuring TLS 1.2

K2 follows the Transport Layer Security (TLS) best practices with the .NET Framework (Microsoft) and does not specify a TLS or SSL version. K2 runs under the .Net 4.6 runtime, which fully supports TLS 1.2, for both server (inbound) and client (outbound) connections.

If the server on which K2 is installed is not correctly configured for TLS 1.2, errors may occur. Below is an example of an error that may occur when TLS 1.2 is not configured correctly:
The underlying connection was closed. An unexpected error occurred on a send.
Image

To avoid these issues you have two options:

  • Minimum Requirement: Make sure that the K2 server can communicate with other services that only allow TLS 1.2
  • Maximum Protection: Force the entire server to only allow TLS 1.2 connections so that incoming and outgoing connections use this higher level of security
These changes are .NET and system-wide settings and affect all .NET applications on the server, not just K2. Be sure to test these changes in a non-production environment after making them so that you don't unexpectedly break other systems that may not support TLS 1.2.

Editing the registry incorrectly can cause system instability or crashes. You should back up the registry before making any changes, and you should be familiar with editing the registry before adding or modifying these keys.

Minimum Requirement

To implement the minimum requirement,  add or edit the following keys in your K2 server's registry:

Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
Value SchUseStrongCrypto
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
Value SchUseStrongCrypto
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
Value SystemDefaultTlsVersions
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value Enabled
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value Enabled
Data Type DWORD
Data 00000001

Maximum Protection

To implement the maximum protection for all .NET apps on the K2 server, including K2, configure all settings as listed in the minimum requirements section above,  and then also add or edit the following keys in your K2 server's registry:

Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
Value Enabled
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value DisabledByDefault
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
Value Enabled
Data Type DWORD
Data 00000001
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value DisabledByDefault
Data Type DWORD
Data 00000000
 
Registry Path [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
Value Enabled
Data Type DWORD
Data 00000001

Considerations

  • If you see errors like Initialization failed before PreInit: Membership could not be verified: A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.), it might mean that one of the app pools used for a K2 site is still set to use an earlier version of the .NET framework. Use IIS Management to identify the .NET version associated with App Pools linked to the K2 sites. You may find it necessary to set these App Pools to use a later version of .NET (e.g. .NET 4.0) that supports TLS 1.2+