I have BTS2016 Enterprise with FP3 CU5 installed and TLS1.2 was working out-of-the-box. I then installed FP3 CU 6 and all of a sudden TLS1.2 is gone... BizTalk uses TLS1.0 or SSL3.0 instead.
If I add registry keys for the different protocols here
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
and disable all but TLS 1.2 then BizTalk refuses to communicate with other webservices.
Using Fiddler I see the following before disabling TLS1.0 and SSL3.0:
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below. Version: 3.1 (TLS/1.0)
When I then disable all but TLS 1.2 this is what I see in Fiddler:
After the client received notice of the established CONNECT, it failed to send any data.
I tried uninstalling FP3 CU6 and reinstall FP3 CU5 but it still does not work. I did not have to modify any registry keys when it was working before the FP3 CU6 installation.
What have I missed that's probably right in front of my eyes?
TLS1.2 is now working for me. The registry needs to be modified to make it work out-of-the-box. I did the following: Ran IIS Crypto from Nartac Software with the Best Practices template that will disable and enable different protocols and ciphers in the registry. Next step is to add the following two registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=00000001