locked
Disable SSLv3 in OWA for "Poodle" vulnerability RRS feed

  • Question

  • We are currently using Exchange 2013 CU6 on Server 2012 R2 with the latest patches. Due to the poodle vulnerability we are attempting to disable SSLv3. We started by using IIS Crypto, however it indicates that SSLv3 is not a supported cipher suite, it only identifies multi protocol unified hello and pct 1.0 as the only valid cipher suites. SSLv3 is also disabled in the registry. A qualsys scan of the exchange server still indicates SSLv3 is supported. How can we disable this?
    Wednesday, October 15, 2014 6:43 PM

Answers

  • Can you post the reg entries for SSL 3?
    • Marked as answer by Theantioch Wednesday, October 15, 2014 7:30 PM
    Wednesday, October 15, 2014 7:14 PM

All replies

  • If you disabled it via registry then you should be good to go

    http://support.microsoft.com/kb/245030


    DJ Grijalva | MCITP: EMA 2007/2010 SPA 2010 | www.persistentcerebro.com

    Wednesday, October 15, 2014 6:51 PM
  • That's what i'm saying, i'm not. qualsys labs SSL test still indicates SSLv3 is supported.
    Wednesday, October 15, 2014 6:52 PM
  • Have you done a IIS reset on the box?

    DJ Grijalva | MCITP: EMA 2007/2010 SPA 2010 | www.persistentcerebro.com

    Wednesday, October 15, 2014 7:01 PM
  • Have you restarted the server?
    Wednesday, October 15, 2014 7:01 PM
  • Last time I worked on this, iisreset was not enough for some strange reason. I had to reboot the server in order for the changes to take effect.

    Wednesday, October 15, 2014 7:05 PM
  • The ciphers were already disabled on the box previously, but a reboot was initiated anyway just to be sure, no change.
    Wednesday, October 15, 2014 7:11 PM
  • Can you post the reg entries for SSL 3?
    • Marked as answer by Theantioch Wednesday, October 15, 2014 7:30 PM
    Wednesday, October 15, 2014 7:14 PM
  • Wednesday, October 15, 2014 7:24 PM
  • Never mind, I found the issue. When I make the Change via IIS Crypto, it inserts a large garbage number, I corrected it before I took the above screenshot and rebooted and it appears the issue is resolved. Maybe something about IIS Crypto is not compatible with exchange? anyway, Issue solved, thanks for the help!
    Wednesday, October 15, 2014 7:29 PM
  • Do you recall where IIS Crypto inserted the text? Good info to know since that tool will become even more popular now.
    Wednesday, October 15, 2014 7:49 PM
  • On the Enabled line, it added a huge string of numbers instead of just the standard 1 or 0, which must have just defaulted it to enabled. I thought i checked it after I ran IIS Crypto but I must have missed it before.
    Wednesday, October 15, 2014 7:52 PM
  • Did you have any problem for users connecting from outside the company? We actually have done a similar move  with Exchange 2010, but most users are not able to connect to Outlook Anywhere, even when OWA works fine.
    Thursday, October 16, 2014 7:17 PM
  • The correct REG_DWORD values are:

    ..\SSL 3.0\Client

    DisabledByDefault : 1

    ..\SSL 3.0\Server

    Enabled : 0

    • Proposed as answer by Calvin-Liu Wednesday, March 20, 2019 3:56 AM
    • Unproposed as answer by Calvin-Liu Wednesday, March 20, 2019 3:56 AM
    Friday, October 17, 2014 4:25 PM
  • No issues connecting outside, but we don't use outlook anywhere, just OWA. 
    Monday, October 20, 2014 7:34 PM
  • You ever fix this? IISCrypto breaks Outlook Anywhere.
    Saturday, November 19, 2016 11:37 AM
  • My issue wasn't about outlook anywhere. We don't use it. You would be better off starting your own topic on this.
    Monday, November 21, 2016 5:12 PM