Since June 2018 TLSv1.0 and TLSv1.1 are officially deprecated on TESTA. Since October 2018 this is enforced by only supporting TLSv1.2 by services on TESTA.

When using Microsoft Windows Server 2012R2 (or lower) and/or Microsoft .NET framework version 4.6.2 or lower (in any combination) additional settings are required.

Please check if the following keys and values are present and set accordingly:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
“AspNetEnforceViewStateMac”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
“AspNetEnforceViewStateMac”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

Please test your connection using EUCOP on the acceptance environment. The server will only accept TLSv1.2, so if the connection is functional, than the changes are successful.

Note, for Server 2008 (Non R2), you will both need the latest windows updates along with the registry keys as mentioned for TLS 1.2 to work
(extra info) https://cloudblogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/

 

When using Microsoft Windows Server 2016 (or higher) and/or Microsoft .NET framework version 4.6.2 or higher, please check if the following keys and values are present and set accordingly

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

Please test your connection using EUCOP on the acceptance environment. The server will only accept TLSv1.2, so if the connection is functional, than the changes are successful.

 

Cipher Suite for TLS handshake

A TLS handshake is done on a specific Cipher Encryption. The highest Cipher, available on both servers will be chosen. Some are considered as weak (E.g. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384). 

Make sure a good Cipher (E.g. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) is available higher up in the list.

If you have a recent Windows Server version and the ordering is not changed than it should be good. However here are some links to help:

Cipher suites are dependent on the Windows Server versions:
However the ordering can be changed
Also this tool can be handy for a visual gui of the Ciphers being used: