TLS protocol encryption settings
Posted by Sinclair Hughes, Last modified by Sinclair Hughes on 17 January 2025 03:43 PM

TLS used by SPM & PHM

Some modules in SPM & PHM (e.g. Field Forms & importing patient registration forms) connect to external resources (Azure storage containers), require TLS encryption.

If you need to add new encryption protocols to your server, the following article is useful: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-server or use a utility tool called IIS Crypto (recommended).

The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration.

  1. Edit the Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2  (& possibly TLS 1.0)
    Export the Registry key first to backup the existing data.
    The 'Enabled' node for both Client and Server needs a value of 1


    Ideally, from a security point-of-view, SSL 2.0, SSL 3.0 should be removed or disabled (Enabled = 0), but do not do this until you have checked what effect it might have on other applications using the server.

    DO NOT remove TLS 1.0 if you have not enabled the secure encrypted connection feature in SQL Server, as the TLS 1.0 protocol is needed for unencrypted connections to the Incisive SQL databases.
    If changes have been made to the Server key you will need to reboot the server.

  2. Edit the Registry Keys for:
    • HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319
    • HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319

For each Key add the following DWord nodes:

    • SchUseStrongCrypto            (value of 1)
    • SystemDefaultTlsVersions     (value of 1)

Or run the following Powershell scripts:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name SystemDefaultTlsVersions ' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\ Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name SystemDefaultTlsVersions ' -Value '1' -Type DWord

TLS used by InTOUCH & inPATIENT apps

The inTOUCH and inPATIENT mobile apps require TLS 1.2 encryption on the web server to allow it to authenticate and also to connect to the storage container to securely transfer photos.

On the server that is hosting the inTOUCH app, can you check to see that you have the TLS 1.2 protocol enabled, at the Client and Server level.

Use https://www.ssllabs.com/ssltest/ to produce a report informing you of the encryption protocols that you have enabled on your server.

Add the required TLS protocols using the scripts in point 2 above.