Answered by:
Disable SSLv3 on Lync Edge server

Question
-
Answers
-
Hi,
In registry editor, go to
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
Change the value to 0 or add a new DWORD value "Enabled" and set it to 0.
- Proposed as answer by Mark ValeMVP Tuesday, September 1, 2015 10:55 AM
- Marked as answer by Eric_YangKModerator Wednesday, September 9, 2015 6:17 AM
-
Hi
You will need to create the Keys and Entries manually for 3.0 and TLS 1.0
and
https://support.microsoft.com/en-us/kb/187498
TechNet one has a nice friendly fixit tool to just run and reboot :)
thanks
Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.
- Marked as answer by Eric_YangKModerator Wednesday, September 9, 2015 6:17 AM
-
Hi lrwinBats,
Please check the following KB.
https://support.microsoft.com/en-us/kb/245030?wa=wsignin1.0
These keys might not exist so they need to be created prior to setting values.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
Best regards,
Eric
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
- Edited by Eric_YangKModerator Tuesday, September 1, 2015 2:47 AM
- Marked as answer by Eric_YangKModerator Wednesday, September 9, 2015 6:17 AM
All replies
-
Hi,
In registry editor, go to
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
Change the value to 0 or add a new DWORD value "Enabled" and set it to 0.
- Proposed as answer by Mark ValeMVP Tuesday, September 1, 2015 10:55 AM
- Marked as answer by Eric_YangKModerator Wednesday, September 9, 2015 6:17 AM
-
-
Hi lrwinBats,
Please check the following KB.
https://support.microsoft.com/en-us/kb/245030?wa=wsignin1.0
These keys might not exist so they need to be created prior to setting values.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
Best regards,
Eric
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
- Edited by Eric_YangKModerator Tuesday, September 1, 2015 2:47 AM
- Marked as answer by Eric_YangKModerator Wednesday, September 9, 2015 6:17 AM
-
-
HI
You will need to reboot the server for it to take effect
thanks
Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.
-
Hi, Guys.
As what you have said, this registry key is not present in our Lync Edge server. Due to this, can you share any procedures / articles on how to create this key and disable it as well? Please advise.
When I navigate to
HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
I only see under this a folder SSL 2.0 then under that is a Client folder
Further, do I need to create all of these 3 as well so that the change will take effect?
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
Thank you.
-
Hi
You will need to create the Keys and Entries manually for 3.0 and TLS 1.0
and
https://support.microsoft.com/en-us/kb/187498
TechNet one has a nice friendly fixit tool to just run and reboot :)
thanks
Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.
- Marked as answer by Eric_YangKModerator Wednesday, September 9, 2015 6:17 AM
-
-
Not specifically to protect against POODLE. But some people want to force TLS 1.2 as the only protocol as it offers the strongest protection. Entirely down to your choice.
thanks
Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.
-
Hi, Guys. Good Day! Could you please share your experience after you apply the registry settings for the server to disable SSLv3? Did you encounter any issues like the server didn't come back from restart? How long would it take you to complete this task? Please advise. Thank you.
-
Hi
This is a pretty easy task usually, with a reboot the server should come back online without excessive waiting.
I have seen excessive server reboots when the server fails to ping the default gateway, but thats unrelated to this specific task.
thanks
Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.
-
-