Failing SSL report at SSL Labs

Posted on 2013-12-05
Medium Priority
Last Modified: 2013-12-23

We’re getting an F: grade for our Webmail URL on  https://www.ssllabs.com/ssltest/analyze.html the reason being:

This server is vulnerable to MITM attacks because it supports insecure renegotiation. Grade set to F:

The URL that’s failing is a link for OWA that’s goes our Firewall > TMG > Exchange 2010.  TMG and Exchange are both 2008 r2 SP1 x64 and fully MS patched.  I’ve done a bit of reading and found a tool that apparently should fix called "IIS Crypto"


I’ve run on the TMG server and rebooted but it’s still failing. ):

What exactly should we be doing to fix this and on which server (e.g. TMG or Exchange)?

Question by:kswan_expert
  • 3
  • 2
LVL 66

Accepted Solution

btan earned 1500 total points
ID: 39700643
rightfully if the requests is to be consumed by the exchange server, TMG should be not part of the assessment. You may want to check if TMG on supporting secure ssl renegotiation

Good to take note of this as well

Overall, I suggest you also check this EE - the MITM is covered under addressing item (2). Extracted one of the patches to address the vulnerabilities. See in the MS bulletion on "TLS/SSL Renegotiation Vulnerability - CVE-2009-3555"


b) CVE-2009-3555 which is SSL/TLS renegotiation vulnerability
> Microsoft release security bulletin which you can drill into  Vulnerability Information (based on the CVE) and the affected version. The Microsoft Baseline Security Analyzer should be able to check if this bulletin is installed in the machine

@ http://technet.microsoft.com/en-us/security/bulletin/MS10-049

Author Comment

ID: 39707023
Thanks, will have a look at the Exchanger server.  I'm a bit wary of running IIS crypto on our Prod Exchange VM so will see if i can find the reg changes to add manually. The URL mentioned in your link above for MITM is dead. ):
LVL 66

Expert Comment

ID: 39707384
Sure keep us posted. Rather not introduce another lockdown tool unnecessarily

Author Comment

ID: 39735073

If interested -

On TMG server under ---  HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\


DisableRenegoOnServer      1
AllowInsecureRenegoClients       0

See article but needed to add

Thanks breadtan
LVL 66

Expert Comment

ID: 39735894
thanks for sharing!

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
How to fix display issue, screen flickering issue when I plug in power cord to the machine. Before I start explaining the solution lets check out once the issue how it looks like after I connect the power cord. most of you also have faced this…
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question