Disabling TLS 1.0 on a Server Running TechDoc 9

Now with multiple attacks available against TLS 1.0, more system administrators are interested in disabling the protocol in order to harden their servers. TechDoc 9 has been updated to support running without TLS 1.0 (and all prior SSL protocols) being enabled. However, it can be a little tricky to get all the parts in place to do so. Here's a list of steps needed to disable TLS 1.0 on your server.
  1. Upgrade Microsoft SQL Server

    At the time this article was written, SQL Server 2014 is the latest version of Microsoft's database product. Only SQL Server 2012 SP2, SQL Server 2014, and SQL Server 2014 SP1 are able to support running without TLS 1.0. However, they all require a hot fix to do so; see Microsoft KB 3052404 for more details. If the hot fix is not installed, the SQL Server service will fail to start once TLS 1.0 is disabled.

    Update: If you attempt to connect to your database with SQL Server Management Studio (SSMS) and you receive the error "A connection was successfully established with the server, but then an error occurred during the login process. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.) (Microsoft SQL Server, Error: 233)", you probably need to install .Net 4.6 to apply updates so SSMS will work with TLS 1.0 disabled.

    Note: If the database is running remotely, it will still need to be updated if you disable TLS 1.0 client support on the server running TechDoc.
  2. Upgrade TechDoc and TechDoc Add-Ons to Release 9

    TechDoc 9 and its Add-Ons (TechDoc Client, Workflow Editor, Scan Agent, etc.) have all been updated to support TLS 1.0 being disabled. As always, you should upgrade TechDoc components in the following order: Add-Ons, Search Managers, and finally Document Managers.
  3. Disable TLS 1.0 on the Server

    There are several ways to disable TLS 1.0. The easiest way is via the registry. You can download the registry file DisableSSLv2SSLv3TLSv10.reg that we have created for you. Once you download the file on to the server, right click on the file using the Windows File Explorer, click Merge, and reboot your server. The changes will only take effect after a reboot.

    There is a TechNet article about the TLS/SSL registry settings but it is a little hard to decipher what you actually need to do. The tables in the article make DisabledByDefault look like it is a subkey but it should actually be a DWORD entry under the Client or Server subkeys just like Enabled is.
  4. Test, Test, and Test

    Be sure to test well after disabling TLS 1.0. There are many products out there that don't support it being turned off. Test any types of clients that need to access the server; TechDoc or otherwise. Test anything on the server that need to access another server.

    You can independently enable or disable the ability for the server to connect to others using TLS 1.0 (the Client keys in the reg file) or the ability for others to connect to your server using TLS 1.0 (the Server keys in the reg file). Note that our reg file disables TLS 1.0 for client (outgoing) and server (incoming) secure connections.

    Should you run into trouble during testing and need to re-enable TLS 1.0, you can download the registry file EnableTLSv10.reg. Once you download the file on to the server, right click on the file using the Windows File Explorer, click Merge, and reboot your server to re-enable TLS 1.0.

We hope you find this Knowledge Base article helpful!

Product Type: