none
Disable SSLv3 on Lync Edge server RRS feed

  • Question

  • Hi, Guys.

    Good Day!

    Need your assistance on this.

    Do you know how to disable SSLv3 on Lync Edge server? Any considerations and/or procedures to do this? Please advise.

    Thank you.



    Monday, August 31, 2015 8:31 AM

Answers

  • Hi,

    In registry editor, go to

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

    Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

    Monday, August 31, 2015 8:55 AM
  • Hi

    You will need to create the Keys and Entries manually for 3.0 and TLS 1.0

    http://disablessl3.com/

    and

    https://support.microsoft.com/en-us/kb/187498

    TechNet one has a nice friendly fixit tool to just run and reboot :)

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Thursday, September 3, 2015 10:58 AM
  • Hi lrwinBats,

     

    Please check the following KB.

    https://support.microsoft.com/en-us/kb/245030?wa=wsignin1.0

     

    These keys might not exist so they need to be created prior to setting values.

     

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]

     

    Best regards,

    Eric


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Tuesday, September 1, 2015 2:46 AM
    Moderator

All replies

  • Hi,

    In registry editor, go to

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

    Change the value to 0 or add a new DWORD value "Enabled"  and set it to 0.

    Monday, August 31, 2015 8:55 AM
  • Hi, Yoav.

    Do you have any supporting MS article for this? Please advise.

    Thank you.

    Tuesday, September 1, 2015 12:09 AM
  • Hi lrwinBats,

     

    Please check the following KB.

    https://support.microsoft.com/en-us/kb/245030?wa=wsignin1.0

     

    These keys might not exist so they need to be created prior to setting values.

     

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]

     

    Best regards,

    Eric


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Tuesday, September 1, 2015 2:46 AM
    Moderator
  • Hi, Guys. Do I need to do something after applying this [i.e Restart of IIS, Lync Services Restart]? Please advise. Thank you.
    Tuesday, September 1, 2015 10:29 AM
  • HI

    You will need to reboot the server for it to take effect

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Tuesday, September 1, 2015 10:55 AM
  • Hi, Guys.

    As what you have said, this registry key is not present in our Lync Edge server. Due to this, can you share any procedures / articles on how to create this key and disable it as well? Please advise.

    When I navigate to 

    HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

    I only see under this a folder SSL 2.0 then under that is a Client folder

    Further, do I need to create all of these 3 as well so that the change will take effect?

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]

    Thank you.

    Thursday, September 3, 2015 10:30 AM
  • Hi

    You will need to create the Keys and Entries manually for 3.0 and TLS 1.0

    http://disablessl3.com/

    and

    https://support.microsoft.com/en-us/kb/187498

    TechNet one has a nice friendly fixit tool to just run and reboot :)

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Thursday, September 3, 2015 10:58 AM
  • Do I need to create TLS 1.0 given that I only need to disable SSL 3.0? Please advise.
    Thursday, September 3, 2015 1:06 PM
  • Not specifically to protect against POODLE. But some people want to force TLS 1.2 as the only protocol as it offers the strongest protection. Entirely down to your choice.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Thursday, September 3, 2015 1:25 PM
  • Hi, Guys. Good Day! Could you please share your experience after you apply the registry settings for the server to disable SSLv3? Did you encounter any issues like the server didn't come back from restart? How long would it take you to complete this task? Please advise. Thank you.
    Sunday, September 6, 2015 8:11 AM
  • Hi

    This is a pretty easy task usually, with a reboot the server should come back online without excessive waiting. 

    I have seen excessive server reboots when the server fails to ping the default gateway, but thats unrelated to this specific task.

    thanks


    Note: Please remember to `Mark as Answered` a post that answers your question and/or `Vote as Helpful` posts that have helped you. This will help others find answers to similar problems. For more Skype for Business help visit: http://www.skype4b.uk Please note that answers are based on my experience and opinion only and do not necessarily represent the views of my employer.

    Sunday, September 6, 2015 8:24 AM
  • Hi, Guys.

    Good Day!

    How do you disable SSLv2 on Lync Edge? Is the same approach as when we change registry key for SSLv3? Please advise.

    Thank you.

    Sunday, September 13, 2015 2:02 PM
  • Hi lrwinBats.

    Yes, it's same.


    Best regards,

    Eric



    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Sunday, September 13, 2015 3:04 PM
    Moderator