Supported Versions of TLS

A small number of advanced drivers in Geo SCADA Expert have an implementation of TLS that is built on the OpenSSL software library. With the majority of advanced drivers in Geo SCADA Expert, the implementation of TLS is built on the Microsoft Schannel software library. As such, the implementations are available to supported advanced drivers that you can configure to represent a network connection and for which some outstations for which you can use the driver are known to support TLS. (The exception to this is the EtherNet/IP driver in Geo SCADA Expert, which does not currently support TLS.)

For Schannel implementations, all current versions of Windows support the versions of TLS and DTLS that are listed below. However, the versions of TLS and DTLS that are enabled by default vary, depending on the operating system that is running on your Geo SCADA Expert servers and the Schannel registry settings. System administrators can enable or disable versions of TLS and DTLS manually by editing the registry in Windows (typically to disable older versions of TLS).

DTLS 1.3 is not yet supported by any version of Windows or OpenSSL.

Server Hardware

• Windows Server 2025:
  TLS 1.0*, TLS 1.1*, TLS 1.2, TLS 1.3, DTLS 1.0*, DTLS 1.2

• Windows Server 2022:
  TLS 1.0*, TLS 1.1*, TLS 1.2, TLS 1.3, DTLS 1.0*, DTLS 1.2
  

• Windows Server 2019:
  TLS 1.0*, TLS 1.1*, TLS 1.2, DTLS 1.0*, DTLS 1.2
  

(Earlier versions of TLS and DTLS (including those marked with an asterisk * above) have been deprecated, so should not be used).

Desktop Hardware

• Windows 11:
  TLS 1.0*, TLS 1.1*, TLS 1.2, TLS 1.3, DTLS 1.0*, DTLS 1.2
  

• Windows 10 (version 1607 onwards):
  TLS 1.0*, TLS 1.1*, TLS 1.2, DTLS 1.0*, DTLS 1.2
  

(Earlier versions of TLS and DTLS (including those marked with an asterisk * above) have been deprecated, so should not be used).

OpenSSL has the same support as Windows Server 2022 and Windows 11. None of the current drivers in Geo SCADA Expert that are built with OpenSSL use UDP (and therefore DTLS).

For a list of which TLS implementations are used in the drivers in Geo SCADA Expert, see Transport Layer Security (TLS).

Renegotiation

This section only applies when using TLS 1.2 and earlier. (The TLS 1.3 protocol eliminated renegotiation.)

Starting a new handshake negotiation inside of an existing secure session is called 'renegotiation'. Renegotiation creates a new secure session and validates the certificates; this detects expired certificates.

With TLS 1.2 and earlier, long-lasting connections and connections that transmit large quantities of encrypted data should be regularly renegotiated. Renegotiation settings are defined at the TLS server. In Geo SCADA Expert, these are typically on the configuration form of the Channel database item that is configured to represent a network connection and has a Listen Port enabled (see Configure the Security Properties of a Network Connection). The renegotiation is triggered on length of time and quantity of data that has been encrypted; whichever limit is reached first triggers a renegotiation. The default value (and the minimum and maximum range) for the renegotiation interval in Geo SCADA Expert conforms to IEC 62351-3:2023 section 7.4.5. We strongly advise against disabling TLS renegotiation.

Troubleshooting

If there are issues with using TLS on your system, a system administrator might want to review the Windows registry settings to ensure that the relevant versions of TLS and the corresponding supported cipher suites are enabled in the Schannel Security Support Provider (SSP). Once enabled, they apply globally to the whole machine (such as the Geo SCADA Expert server).

The supported and enabled versions in the Geo SCADA Expert server must overlap with those that are supported by the outstation, device, or application at the other end of the connection (otherwise the TLS handshake with fail). Older versions of TLS and cipher suites are typically disabled in certain operating systems by default. The Microsoft website provides tables of supported versions and mentions which are enabled or disabled by default.

The known weak cipher suites (such as RC4, DES, export, and null) are permanently disabled in the drivers in Geo SCADA Expert.