will TLS version support 1.0 and 1.2 work simultaneously?

Question

We are supporting SharePoint 2013 onpremises farm.

We need to change the TLS version 1.0 to 1.2 for one specific site collection as per the site owner compliance policy.

If we enable TLS 1.2 in only sharepoint web servers along with existing TLS 1.0 support, will the sites communicated in TLS 1.2 mode in client browsers?

We have workflow manager 1.0 with SSL communication enabled between sharepoint and WFM .

Should i upgrade this WFM communication with SharePoint farm to TLS 1.2 or will it work with existing TLS 1.0?

Answer 1

Windows Server 2008 R2 has SSL3.0 and TLS1.0 enabled by default. TLS1.1 & 1.2 have to be enabled manually. The Server will always try to use the newest configured protocol version. But the client (or a man-in-the-middle!) can enforce unsecure protocols like SSL3.0. You can simulate this by disabling TLS 1.2 & 1.1 on your Client (Internet Options -> Advanced -> Security -> Uncheck Enable TLS 1.1 & 1.2). Load your SharePoint Site -> right-klick -> properties.

My thinkings to your situation:

• Enabling TLS1.1 & 1.2 will not automatically disable older protocol versions. Your farm will support every protocol from SSL3.0 to TLS1.2 - depending on what the client is willing to accept.
• Disabling older protocol-versions might affect your WFM-Infrastructure. As you already learned in your other post, there is not too much practical experience on this topic. I also lack practical experience on that.
• You cannot disable protocol versions for a SiteCollection. Disabling old versions affects your whole farm.
• Do you have to ensure TLS1.2 ONLY (no older version) for the specific SiteCollection?
  • If Yes: You seem to be a little stuck here because of WFM. You should try to implement the TLS1.2 only setup in a separate test-environment first.
  • If No: Enable TLS 1.1 & 1.2 support in Windows and SharePoint as described here
  • You should always try to disable SSL3.0 as it is a known insecure protocol!