Ideagen Luminate logo Ideagen Luminate logo
Navigation
Need help?
Send feedback
Sign in
This page does not meet FedRAMP security standards. Please avoid entering sensitive or classified information. Learn more
Learn more
Learn more

Looking for help?

Common queries

View all

Send us feedback

Megaphone illustration

Before you start

This form is for Ideagen Luminate feedback only. Your submission will not receive a response.

Looking for support? Select the solution you need help with and open a ticket with us.
New article Recently updated

ERR_SSL_VERSION_OR_CIPHER_MISMATCH / Cannot securely connect to this page . . . Your TLS security settings aren't set to the defaults

By Karl Newstead
  • Last updated
⌘ K
Search this article
Print this article

Normally, a browser and web server will negotiate in order to find out the most secure protocols that they both support.

In the event that a newer browser (which may have older protocols disabled) connects to an older server (which may not be running newer protocols) then you might get a message such as this in Edge / Chrome:

 

mceclip1.png

 

With the detail:

 

 

mceclip2.png

 

Or this in Internet Explorer:

  mceclip0.png

 

It is possible to enable support for older versions of TLS for a browser, but generally this isn't desirable and the better solution is to update the versions of TLS available on the server.

This is an OS configuration job, and so is outside the scope of our application support, however it is useful to know how the job is done.  The following is provided for information only, and is not official guidance from Ideagen.

 

Windows 2008

Windows 2008 shipped with TLS v1.0.  v1.1 and v1.2 can be added to the server as described here:

https://www.microsoft.com/security/blog/2017/07/20/tls-1-2-support-added-to-windows-server-2008/

 

Windows 2008 R2 (SP1) and Windows 2012

TLS v1.1 and v1.2 are both available in these releases of Windows, but are turned off by default.

Microsoft provide information on turning them on here:

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

The process involves hand-editing various registry entries, so is quite cumbersome and error-prone.  Various alternatives exist and can be found on the Internet, e.g. PowerShell scripts and helper applications. 

An example is IIS Crypto, which can be used to do the same job via a friendly GUI:  https://www.nartac.com/Products/IISCrypto/.

With this tool, you launch and see the current state of the server.  Where a tick is grey, it means that the default value is used:

 

mceclip3.png

 

To enable TLS v1.1 and v1.2 you can tick the relevant boxes so that the ticks become black, then click Apply:

 

mceclip4.png

 

The server has to be rebooted before the change takes effect.

Key points are:

  • These changes should be tested, and you should always note what changes are made so that they can be rolled back if applications stop working
  • These changes require server reboots

 

Identifying a cipher suite from a browser

If you can connect to a server using a Chrome browser, you can find the cipher suite in use by doing the following:

  • Browse to a page using a its https address
  • Press F12 to activate the developer tools
  • Click on the Security tab and look at the Connection:

mceclip5.png

What do you think about this article?

Your feedback helps us improve

More articles in this section

Looking for more help? Ask the Community

On this page