Internet Properties: Enable insecure TLS server compatibility

Copper Contributor

I am currently troubleshooting schannel errors, and I happened to come across this setting in Internet Properties. Can anyone explain how it enables insecure TLS servers to still operate even when only TLS 1.2 and 3 are permitted?

checkman_0-1678129681948.png

 

1 Reply
As best I can tell, this setting is to enable/disable the compatibility fix "EnableLegacyTls" that is referenced in the following support article:

https://support.microsoft.com/en-us/topic/kb5017811-manage-transport-layer-security-tls-1-0-and-1-1-...

The registry key backing setting is found at \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LegacyTLSAppcompat which explicitly calls it "Appcompat", the name Windows uses for the application compatibility system (e.g. AppCompatFlags, compatibility shims, sysmain.sdb database). It's not well-documented, but if I think if it were another kind of "compatibility", it would not be labeled as "AppCompat" explicitly.