Forum Discussion
Internet Properties: Enable insecure TLS server compatibility
I am currently troubleshooting schannel errors, and I happened to come across this setting in Internet Properties. Can anyone explain how it enables insecure TLS servers to still operate even when only TLS 1.2 and 3 are permitted?
1 Reply
- As best I can tell, this setting is to enable/disable the compatibility fix "EnableLegacyTls" that is referenced in the following support article:
https://support.microsoft.com/en-us/topic/kb5017811-manage-transport-layer-security-tls-1-0-and-1-1-after-default-behavior-change-on-september-20-2022-e95b1b47-9c7c-4d64-9baf-610604a64c3e
The registry key backing setting is found at \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LegacyTLSAppcompat which explicitly calls it "Appcompat", the name Windows uses for the application compatibility system (e.g. AppCompatFlags, compatibility shims, sysmain.sdb database). It's not well-documented, but if I think if it were another kind of "compatibility", it would not be labeled as "AppCompat" explicitly.
