locked
Outlook 2011 for Mac and SSLv3 on Exchange 2010 RRS feed

  • Question

  • I have a few Apple MacBook users with Outlook 2011, and connecting back to my Exchange 2010 server (essentially via OWA). Currently it all works fine. 

    With the POODLE vulnerability, it is recommended that SSLv3 be disabled in Exchange (at Windows 2008 O/S server level), and instead fall back on TLS. Does anybody have any experience with Mac users connecting to Exchange, disabling all SSL versions (SSLv3, v2, etc) on Exchange, and the Mac user still being able to connect? 

    I am not able to find much on the web, but I have seen a few people say that Outlook 2011 for Mac does not support TLS. IF you go in to the settings for email, it does only have an option for "use SSL" and does not mention TLS. 

    Does anyone have any further insight? Thanks
    Friday, December 12, 2014 7:31 PM

Answers

  • I have a few Apple MacBook users with Outlook 2011, and connecting back to my Exchange 2010 server (essentially via OWA). Currently it all works fine. 

    With the POODLE vulnerability, it is recommended that SSLv3 be disabled in Exchange (at Windows 2008 O/S server level), and instead fall back on TLS. Does anybody have any experience with Mac users connecting to Exchange, disabling all SSL versions (SSLv3, v2, etc) on Exchange, and the Mac user still being able to connect? 

    I am not able to find much on the web, but I have seen a few people say that Outlook 2011 for Mac does not support TLS. IF you go in to the settings for email, it does only have an option for "use SSL" and does not mention TLS. 

    Does anyone have any further insight? Thanks

    We have had no issues disabling it with both Exch 2010 and Exch 2013 and Mac Users.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, December 12, 2014 7:37 PM
    Moderator
  • Hi,

    Based on my research, Outlook 2011 for Mac needs to use SSL to establish communication between the client and the server. If you disable SSL, the Outlook 2011 for Mac user may not be able to connect to Exchange server.

    To work around this issue, enable SSL 2.0 on the server, and then make sure that the protocol is not blocked by any devices on the network.

    When Outlook for Mac 2011 can again establish a connection by using SSL 2.0, and if the responding server's security protocol (TLS) differs from the client's protocol (SSL), the client will switch to the protocol of the server (TLS).

    Please configure the Exchange server to support Compatible mode by using the instructions from KB article 980436. This allows the Outlook for Mac client to establish a connection by using the SSL protocol and then renegotiate by using TLS. This method allows Outlook for Mac to connect to the server even when SSL 2.0 and 3.0 are blocked. For more information about it, please refer to:

    http://support2.microsoft.com/kb/2955530/en-us

    Regards,


    Winnie Liang
    TechNet Community Support

    Monday, December 15, 2014 12:25 PM
    Moderator

All replies

  • I have a few Apple MacBook users with Outlook 2011, and connecting back to my Exchange 2010 server (essentially via OWA). Currently it all works fine. 

    With the POODLE vulnerability, it is recommended that SSLv3 be disabled in Exchange (at Windows 2008 O/S server level), and instead fall back on TLS. Does anybody have any experience with Mac users connecting to Exchange, disabling all SSL versions (SSLv3, v2, etc) on Exchange, and the Mac user still being able to connect? 

    I am not able to find much on the web, but I have seen a few people say that Outlook 2011 for Mac does not support TLS. IF you go in to the settings for email, it does only have an option for "use SSL" and does not mention TLS. 

    Does anyone have any further insight? Thanks

    We have had no issues disabling it with both Exch 2010 and Exch 2013 and Mac Users.


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, December 12, 2014 7:37 PM
    Moderator
  • Andy, so to verify, your Outlook for Mac users connect back to Exchange via https and the corporate EWS url? Within the Account settings of Outlook 2011 for Mac is the "Use SSL to connect" option check marked?  This is what worries me. Several others have said Outlook 2011 does not support TLS, and I am afraid if I turn it off at the Windows O/S level of Exchange, it won't negotiate. 

    Below is a Microsoft forum with users experiencing the very same thing I fear. You are the first I have heard verify differently. Just want to make sure we are talking apples to apples. 

    http://answers.microsoft.com/en-us/mac/forum/macoffice2011-macoutlook/outlook-2011-to-use-sslv3/7e777e6b-9e92-4a89-8874-d357c4bdf6ef


    Friday, December 12, 2014 7:54 PM
  • Andy, so to verify, your Outlook for Mac users connect back to Exchange via https and the corporate EWS url? Within the Account settings of Outlook 2011 for Mac is the "Use SSL to connect" option check marked?  This is what worries me. Several others have said Outlook 2011 does not support TLS, and I am afraid if I turn it off at the Windows O/S level of Exchange, it won't negotiate. 

    Below is a Microsoft forum with users experiencing the very same thing I fear. You are the first I have heard verify differently. Just want to make sure we are talking apples to apples. 

    http://answers.microsoft.com/en-us/mac/forum/macoffice2011-macoutlook/outlook-2011-to-use-sslv3/7e777e6b-9e92-4a89-8874-d357c4bdf6ef


    Well, I have recently upgraded to the latest Maclook, but SSL is checked yes. ( i'm pretty confident it was checked for Outlook 2011 as well). We dont use TMG as that poster in the link does. 


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, December 12, 2014 8:07 PM
    Moderator
  • Yea, we don't use TMG either, but just included the link as a reference point for screenshot of Outlook for Mac settings. Even with latest MacBook you have, Outlook for 2011 is still the latest edition that Microsoft offers for Mac, so I assume that is what you are running.

    So, if you have Outlook Account settings similar to that link I sent, and you are connecting back to Exchange 2010 on a Windows server with SSL versions disabled at the OS level, then it sounds as though it might work. Not sure what to make of those that it is not working for, and that say SSLv3 must be enabled. 

    Friday, December 12, 2014 8:24 PM
  • If you have a test server, I would work against that to verify. What works for me may not for you of course  :)


    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Friday, December 12, 2014 8:48 PM
    Moderator
  • Hi,

    Based on my research, Outlook 2011 for Mac needs to use SSL to establish communication between the client and the server. If you disable SSL, the Outlook 2011 for Mac user may not be able to connect to Exchange server.

    To work around this issue, enable SSL 2.0 on the server, and then make sure that the protocol is not blocked by any devices on the network.

    When Outlook for Mac 2011 can again establish a connection by using SSL 2.0, and if the responding server's security protocol (TLS) differs from the client's protocol (SSL), the client will switch to the protocol of the server (TLS).

    Please configure the Exchange server to support Compatible mode by using the instructions from KB article 980436. This allows the Outlook for Mac client to establish a connection by using the SSL protocol and then renegotiate by using TLS. This method allows Outlook for Mac to connect to the server even when SSL 2.0 and 3.0 are blocked. For more information about it, please refer to:

    http://support2.microsoft.com/kb/2955530/en-us

    Regards,


    Winnie Liang
    TechNet Community Support

    Monday, December 15, 2014 12:25 PM
    Moderator
  • Hi,

    Any updates?

    Regards,


    Winnie Liang
    TechNet Community Support

    Wednesday, December 17, 2014 5:35 AM
    Moderator