SOLVED

TLS 1.3

Brass Contributor

TLS 1.3 is a very needed feature for those in corporate environments for our public facing websites. The speed advantages are immense in larger sites with no caching

28 Replies

Hmm, I added the policy key and restarted all browser session SSL test = no change, TLS 1 to 1.3 as yes.
I used command line msedge.exe --ssl-version-min=tls1.2 and it still tests with 1.0 as yes

EDITED It took a full computer restart and then this worked.
Opened InPrivate tab still tests as yes for 1.0. 

I have successfully set policy key for regular Chrome (\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\SSLVersionMin) and it was detected and works as expected.

I'll just have to create a shortcut using "msedge.exe --ssl-version-min=tls1.2"

Any other suggestions?

Restarting your computer should have no impact; the most likely explanation is that you had a zombie'd msedge.exe somewhere in the background which prevented the flag from taking effect. Visiting edge://version/ will show the command line of the current instance which will help confirm.

Similarly, I'm not able to reproduce your finding for InPrivate mode; when I launch with the command line flag, it's respected as expected while InPrivate.

How specifically did you "add the policy key"?

@Eric_Lawrence Can we had a way (in entreprise) like they do in firefox to reject tls 1.0 and 1.1 and other weak cipher suite ?

The SSLVersionMin policy allows enterprises to set a minimum TLS version.

Ciphersuites can be controlled via the cipher-suite-denylist command line argument (Chrome uses "cipher-suite-blacklist") as follows:

msedge.exe --ssl-version-min=tls1.2 --cipher-suite-denylist=0x000a https://ssllabs.com

This doesn't appear to be available via policy in Chromium today, see:
https://bugs.chromium.org/p/chromium/issues/detail?id=931204#c5
https://bugs.chromium.org/p/chromium/issues/detail?id=930508#c15

...but it's something that the Edge team might look at if there were significant demand.

i was trying --cipher-suite-blacklist i doesn't know it was denylist now

 

edit: thanks

@Eric_Lawrence 

Opened the URL you gave and read that.

Win key + R key, Entered regedit clicked OK.
navigated to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies
Add New Key Chromium
Then in that key add a String value named SSLVersionMin
set the value of that to tls1.2

msEdge_Chromium_Doesn't.jpg

 

This is the same process I followed to get the Chrome browser shown below to work. Except it is in the Chrome Key under Google.

ChromeWorks.jpg

 

 

Is there supposed to be a another Parent key in between named something like MSEdge ? ie. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\MSEdge\Chromium ?

https://textslashplain.com/2019/05/01/edge-76-vs-edge-18-vs-chrome/
---------
Group Policy and Command Line Arguments
By-default, Edge 76 shares almost all of the same Group Policies and command line arguments as Chrome 76.

If you’re using the registry to set a policy for Edge, put it under the

HKEY_CURRENT_USER\Software\Policies\Microsoft\Edge
…node instead of under the

HKEY_CURRENT_USER\Software\Policies\Google\Chrome
node.
Thanks!
That was the missing piece. I was doing a strict enforcement of the document text you gave in the URL since I couldn't infer what keys the exe is reading when it launches.

I am using Version 77.0.211.3 (Official build) dev (64-bit)

After you specified the other details I was able to add in the Microsoft key and the SSL test is working.

The other Google key for Chrome has to stay. We install multiple browsers on our workstations due to various client requirements.

:thumbs_up:

It is nice that Edge and Windows 10 and 2019 support TLS 1.3.

 

However some Windows Update Servers (like fe2.update.microsoft.com on their IPv6 addresses) only support those Ciphers that are known to be weak. Disabling those ciphers in Windows 10 or 2016/2019 breaks Windows Update functionality. So more security actually turns into less security.

 

https://www.ssllabs.com/ssltest/analyze.html?d=fe2.update.microsoft.com&s=2a01%3a111%3af330%3a1793%3...