Disable SSL 3.0 Protocol for Exchange 2013 (pre-CU8)

Prior to the release of CU8 for Exchange Server 2013 yesterday, you may have been prompted with an error (similar to the screenshot below) while validating or checking the installation of your SSL certificate. For all of my Exchange projects, I will check validity of the certificates installed by running the DigiCert SSL Installation Diagnostics Tool. In this instance, an error was received pointing out there may be a protocol enabled on the Exchange 2013 servers that shouldn’t be.

Digicert SSL 3.0 Error

In the error message, a reference to resolve the vulnerability is provided. Thankfully, DigiCert provided a thorough write-up to fix the error; I choose the manual method via registry editor.

Essentially, we create a key with the name “SSL 3.0” (which will most likely already exist) under…

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

If “SSL 3.0” key already exists, create 2 additional keys. One with the name of “Client” and one with the name of “Server” under the “SSL 3.0” key…

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0

Again, it is most likely that the “Server” key will already be present.

Under the “SSL 3.0\Client” key, create a new DWORD (32-bit) Value, name it “DisabledByDefault” and give it a value of 1.

Under the “SSL 3.0\Server” key, create a new DWORD (32-bit) Value (if it doesn’t already exist), name it “Enabled” and give it a value of 0.

You can now close regedit and restart IIS (iisreset via Command Prompt) to complete disabling (or removing the restrictions for) the SSL 3.0 protocol. However, it is strongly recommended to restart the Exchange 2013 server.

IMPORTANT: Perform these tasks on all pre-CU8 Exchange 2013 servers. If CU8 for Exchange 2013 is already installed, you don’t need to apply these registry keys and values.

Once we have completed these tasks, we should no longer be prompted that the SSL 3.0 protocol vulnerability is present.

Digicert SSL 3.0 Good

Ultimately, I would strongly recommend installing Exchange 2013 CU8 as it will resolve this same concern. But please make sure you test it in a lab environment first.

Good luck and have fun!

Reference(s):

Advertisements

2 thoughts on “Disable SSL 3.0 Protocol for Exchange 2013 (pre-CU8)

  1. This information is incorrect. Prior to CU8, if you make the registry changes, Exchange ignores them and still uses SSL3 and TLS1.0, so your advice above still leaves you with security flaws. Also CU8 does not automatically disable SSL3, nor any other protocol. It simply allows SMTP to use protocols OTHER than SSL3 and TLS1.0, if you set them in the OS. You still need to make the necessary registry changes to the OS if you want to disable SSL3, and/or TLS 1.0/1.1.

    Bottom line – udpate to CU8 and make the necessary registry changes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s