none
关闭SSLv3影响Exchange2010的https访问吗? RRS feed

  • 问题

  • 现第三方安全公司进行的PCI安全合规扫描中,检测出Exchange2010服务器支持SSLv3,称SSLv3存在安全性漏洞,那请问关闭SSLv3影响Exchange2010的https访问吗?我在https访问的证书上查看都是使用的SSLv3版本,那如何解决此问题?谢谢。
    2015年4月23日 15:11

答案

  • 你好,

    没有什么影响,具体建议你参考下面的bolg内容:

    http://blogs.technet.com/b/samdrey/archive/2014/10/17/vulnerability-in-ssl-3-0-poodle-attack-and-exchange-2010-or-exchange-2013.aspx

    So disabling SSL V3.0 on the Windows Server hosting Exchange server application won’t affect classical Exchange services, it will only prevent clients that cannot/don’t “speak” TLS (who speak SSL 2.0/3.0 only) to connect to Exchange services using SSL channel.

    All the other clients such as Outlook and IE will continue to work seamlessly with the Exchange services.

    谢谢!


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    2015年4月24日 3:07
    版主
  • TLS 配置

    http://terenceluk.blogspot.ca/2013/09/enabling-tls-for-exchange-server-2010.html

    Enabling TLS for Exchange Server 2010

    I’ve recently been asked to troubleshoot why TLS wasn’t working for an Exchange 2010 server even though the obvious settings have been configured.  What I’ve found was that most administrators tend to perform only 1 of 2 steps and therefore left wondering why TLS isn’t offered by the Exchange server so this post serves to outline the steps so that I can direct anyone who runs into this issue to this blog post.

    How do you know whether your Exchange server is performing opportunistic TLS?

    The easiest way to determine whether the Exchange server is performing opportunistic TLS is to simply telnet to the hub transport server via port 25:

    telnet localhost 25

    image

    **Note that I’m logged directly on the Exchange server in the screenshot above so please substitute localhost with either the external MX record or the name / IP of the hub transport server if you’re coming from the internal network.

    Execute the command:

    ehlo

    … and look for 250-STARTTLS in the output:

    image

    Notice how the screenshot above does not contain the 250-STARTTLS output which means this Exchange server is not going to accept TLS connections.

    Step #1 – Turn on “Enable Domain Security (Mutual Auth TLS)” or enable “DomainSecuredEnable” setting:

    The settings:

    1. Enable Domain Security (Mutual Auth TLS)
    2. DomainSecuredEnable

    … are actually the same as one of them is configured through the Exchange Management Console and the other is through PowerShell. 

    Option #1 - Exchange Management Console:

    To enable the setting in the EMC, navigate to Microsoft Exchange On-Premises –> Server Configuration –> Hub Transport and select the appropriate receive connector that receives email from the internet:

    image

    Open up the properties of the receive connector and navigate to the Authentication tab, then check off Enable Domain Security (Mutual Auth TLS):

    image image

    Option #2 - PowerShell:

    The second way of enabling the setting is to launch PowerShell then use the Set-ReceiveConnector cmdlet.  You can also check to see if the setting is enabled by using the:

    Get-ReceiveConnector <Connector Name> | FL

    … and scroll to the DomainSecureEnabled setting:

    image

    … or execute:

    Get-ReceiveConnector <Connector Name> | FL DomainSecuredEnabled

    … to only display that setting.

    To enable the setting, execute:

    Set-ReceiveConnector <Connector Name> -DomainSecureEnabled $true -AuthMechanism TLS

    image

    Note how the screenshot above now displays the DomainSecureEnabled property as being True.

    If you open up the properties of the receive connector, you’ll see that the Enable Domain Security (Mutual Auth TLS) setting is checked off:

    image

    Step #2 – Assign a certificate to the SMTP service:

    I find most administrators tend to miss step 2 which is to assign a certificate to the SMTP service so ensure that you have a certificate with the CN or an entry in the SAN that matches the MX to A record name, then use the:

    Get-ExchangeCertificate

    … cmdlet to list the certificates:

    image

    Copy the Thumbprint and then execute the following cmdlet:

    Enable-ExchangeCertificate -thumbprint <thumbprint of certificate> -services:SMTP

    image

    Note that I already had a certificate assigned so was prompted to overwrite the existing certificate.

    Now when you telnet to the Exchange server, you should see the 250-STARTTLS option:

    image

    2015年4月25日 2:25

全部回复

  • https://www.trustwave.com/Resources/SpiderLabs-Blog/Bring-Out-Your-Dead--An-Update-on-the-PCI-relevance-of-SSLv3/?page=1&year=0&month=0

    按照以上文章的解释,企业需尽快迁移SSLv3 到TLS 1.1,那该如何配置了?现在客户端和移动终端都支持此种加密方式吗?谢谢。

    2015年4月23日 15:26
  • Disable SSL 3.0 in Windows

    You can disable support for the SSL 3.0 protocol on Windows by following these steps:

    1. Click Start, click Run, type regedt32 or type regedit, and then click OK.

    2. In Registry Editor, locate the following registry key:

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server

    Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.

    3. On the Edit menu, click Add Value.

    4. In the Data Type list, click DWORD.

    5. In the Value Name box, type Enabled, and then click OK.

    Note If this value is present, double-click the value to edit its current value.

    6. Type 00000000 in Binary Editor to set the value of the new key equal to "0".

    7. Click OK. Restart the computer.

    Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

    Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.

    (Source: https://technet.microsoft.com/en-us/library/security/3009008.aspx)

    参考如上方法关闭即可

    2015年4月24日 0:55
  • 你好,

    没有什么影响,具体建议你参考下面的bolg内容:

    http://blogs.technet.com/b/samdrey/archive/2014/10/17/vulnerability-in-ssl-3-0-poodle-attack-and-exchange-2010-or-exchange-2013.aspx

    So disabling SSL V3.0 on the Windows Server hosting Exchange server application won’t affect classical Exchange services, it will only prevent clients that cannot/don’t “speak” TLS (who speak SSL 2.0/3.0 only) to connect to Exchange services using SSL channel.

    All the other clients such as Outlook and IE will continue to work seamlessly with the Exchange services.

    谢谢!


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    2015年4月24日 3:07
    版主
  • 谢谢你的回答,那能提供在Exchange2010上配置TLS加密的指导说明吗?为何在IIS里没有看到TLS配置的地方,那禁止SSLv3 后如何使用https访问?或者两者之间没有联系?谢谢。
    2015年4月24日 12:11
  • TLS 配置

    http://terenceluk.blogspot.ca/2013/09/enabling-tls-for-exchange-server-2010.html

    Enabling TLS for Exchange Server 2010

    I’ve recently been asked to troubleshoot why TLS wasn’t working for an Exchange 2010 server even though the obvious settings have been configured.  What I’ve found was that most administrators tend to perform only 1 of 2 steps and therefore left wondering why TLS isn’t offered by the Exchange server so this post serves to outline the steps so that I can direct anyone who runs into this issue to this blog post.

    How do you know whether your Exchange server is performing opportunistic TLS?

    The easiest way to determine whether the Exchange server is performing opportunistic TLS is to simply telnet to the hub transport server via port 25:

    telnet localhost 25

    image

    **Note that I’m logged directly on the Exchange server in the screenshot above so please substitute localhost with either the external MX record or the name / IP of the hub transport server if you’re coming from the internal network.

    Execute the command:

    ehlo

    … and look for 250-STARTTLS in the output:

    image

    Notice how the screenshot above does not contain the 250-STARTTLS output which means this Exchange server is not going to accept TLS connections.

    Step #1 – Turn on “Enable Domain Security (Mutual Auth TLS)” or enable “DomainSecuredEnable” setting:

    The settings:

    1. Enable Domain Security (Mutual Auth TLS)
    2. DomainSecuredEnable

    … are actually the same as one of them is configured through the Exchange Management Console and the other is through PowerShell. 

    Option #1 - Exchange Management Console:

    To enable the setting in the EMC, navigate to Microsoft Exchange On-Premises –> Server Configuration –> Hub Transport and select the appropriate receive connector that receives email from the internet:

    image

    Open up the properties of the receive connector and navigate to the Authentication tab, then check off Enable Domain Security (Mutual Auth TLS):

    image image

    Option #2 - PowerShell:

    The second way of enabling the setting is to launch PowerShell then use the Set-ReceiveConnector cmdlet.  You can also check to see if the setting is enabled by using the:

    Get-ReceiveConnector <Connector Name> | FL

    … and scroll to the DomainSecureEnabled setting:

    image

    … or execute:

    Get-ReceiveConnector <Connector Name> | FL DomainSecuredEnabled

    … to only display that setting.

    To enable the setting, execute:

    Set-ReceiveConnector <Connector Name> -DomainSecureEnabled $true -AuthMechanism TLS

    image

    Note how the screenshot above now displays the DomainSecureEnabled property as being True.

    If you open up the properties of the receive connector, you’ll see that the Enable Domain Security (Mutual Auth TLS) setting is checked off:

    image

    Step #2 – Assign a certificate to the SMTP service:

    I find most administrators tend to miss step 2 which is to assign a certificate to the SMTP service so ensure that you have a certificate with the CN or an entry in the SAN that matches the MX to A record name, then use the:

    Get-ExchangeCertificate

    … cmdlet to list the certificates:

    image

    Copy the Thumbprint and then execute the following cmdlet:

    Enable-ExchangeCertificate -thumbprint <thumbprint of certificate> -services:SMTP

    image

    Note that I already had a certificate assigned so was prompted to overwrite the existing certificate.

    Now when you telnet to the Exchange server, you should see the 250-STARTTLS option:

    image

    2015年4月25日 2:25
  • 你好,谢谢你的解答,我在Exchange2010上运行“telnet localhost 25 “,输出中含有”250-STARTTLS “,意味着我的Exchange支持TLS,那我关闭SSLv3 后,是否SMTP和Owa的https都将自动采用TLS协议?因本人对此不是很熟悉,还望见谅,谢谢。
    2015年4月29日 16:06
  • @yyycx,我已经按照你的方法修改注册表并重启服务器,在谷歌浏览器上能显示我正使用TLS1.0协议连接,但在IE浏览器上,即使我不勾选安全选项里面的TLS1.0,只勾选SSL3.0,仍然可以访问OWA,这是什么原因? 现在新的PCI扫描结果显示,我现在不仅存在SSL3.0安全性问题,也存在TLS1.0安全性问题,应该使用TLS1.1或者1.2,那如何设置?谢谢。
    2015年5月6日 8:08
  • 请问群里精英如何在Exchange2010上禁止使用SSLv3,强制使用TLS1.1或者1.2?谢谢。
    2015年5月8日 5:55