Prior to the release of CU8 for Exchange Server 2013 yesterday, you may have been prompted with an error (similar to the screenshot below) while validating or checking the installation of your SSL certificate. For all of my Exchange projects, I will check validity of the certificates installed by running the DigiCert SSL Installation Diagnostics Tool. In this instance, an error was received pointing out there may be a protocol enabled on the Exchange 2013 servers that shouldn’t be.
In the error message, a reference to resolve the vulnerability is provided. Thankfully, DigiCert provided a thorough write-up to fix the error; I choose the manual method via registry editor.
Essentially, we create a key with the name “SSL 3.0” (which will most likely already exist) under…
If “SSL 3.0” key already exists, create 2 additional keys. One with the name of “Client” and one with the name of “Server” under the “SSL 3.0” key…
Again, it is most likely that the “Server” key will already be present.
Under the “SSL 3.0\Client” key, create a new DWORD (32-bit) Value, name it “DisabledByDefault” and give it a value of 1.
Under the “SSL 3.0\Server” key, create a new DWORD (32-bit) Value (if it doesn’t already exist), name it “Enabled” and give it a value of 0.
You can now close regedit and restart IIS (iisreset via Command Prompt) to complete disabling (or removing the restrictions for) the SSL 3.0 protocol. However, it is strongly recommended to restart the Exchange 2013 server.
IMPORTANT: Perform these tasks on all pre-CU8 Exchange 2013 servers. If CU8 for Exchange 2013 is already installed, you don’t need to apply these registry keys and values.
Once we have completed these tasks, we should no longer be prompted that the SSL 3.0 protocol vulnerability is present.
Ultimately, I would strongly recommend installing Exchange 2013 CU8 as it will resolve this same concern. But please make sure you test it in a lab environment first.
Good luck and have fun!
- Microsoft Security Advisory 3009008
- Microsoft Issues Advice on SSL 3.0 Security Vulnerability
- DigiCert Certificate Inspector: Vulnerabilities
- Microsoft IIS: Disabling the SSL v3 Protocol
- SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2013 environment
- Need to disable SSL3.0 for Exchange 2013 SMTP? Install CU8 to make it work
- Cumulative Update 8 for Exchange Server 2013
- Announcing Cumulative Update 8 for Exchange Server 2013