"Paul" wrote


| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\AdvancedOptions\CRYPTO\TLS1.2]
| "OSVersion"=-
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\AdvancedOptions\CRYPTO\TLS1.1]
| "OSVersion"=-
|

I think those actually need to be the version, though I'm
not certain. Something like 3.5.0.0.1. There are websites
that provide the exact number. (5 for XP. 6 for Vista/7.)

I decided to back out all of that stuff after it didn't help
with wininet.dll. But I do have the schannel update, for
use with winhttp.dll. I don't see any reason for people
who are just browsing with FF to care about this stuff.
At this point it's only relevant for some 3rd-party software.

| If you leave the PosReady key, it just means that
| Windows Update lists a lot of stuff that may or may
| not be appropriate as a patch.

Yes. But I never enable Windows Update on any
machine. So I don't care. Though it's not clear to
me that people with IE8 haven't got the SCHANNEL
update. It's all very confusing and I just don't
understand enough of encryption and protocols to
understand exactly what the implications of the different
updates are.
MS says KB4019276 provides TLS1.2 support. That
seems to work for me on XP, through winhttp, having
added the POS and DisabledByDefault settings. That's
all I know for sure.
(I also had to adjust winhttp calls in my software. In
other words, getting an update to TLS1.2 for winhttp.dll
and/or wininet.dll won't make software use TLS1.2 if
that software is not expecting support and is specifically
targetting SSL or TLS1.0.)