disable TLS 1.0

To become PCI compliant I need to disable SSLv 2 & 3 as well as TLS 1.0 on my mail server.  On my mail server I tried to disable all of those and enable TLS 1.1 and 1.2.  It was all good until I tried to disable TLS 1.0 which left just TLS 1.1 and 1.2.  This is when my mail wouldn't work for my company.

We have a hub 2010 Exchange server on server 2008 R2 SP1 that all my settings are setup on.  We also have a 2010 Exchange Database server on Windows Server 2008 R2 SP1. (Do I need to make SSL/TLS changes on this server to?)

I put the usual reg keys to disable:

disabledbydefault - Dword value of 1
Enabled - Dword value of 0

enabled TLS 1.1 and 1.2:

disabledbydefault - Dword value of 0
Enabled - Dword value of 1

I hope this is enough information.

Thanks,

Kevin
klock60Asked:
Who is Participating?
 
btanExec ConsultantCommented:
Indeed disabling SSL V3.0 on the Windows Server hosting Exchange server application wil not affect classical Exchange services. All clients such as Outlook and IE will continue to work seamlessly with the Exchange services. Wrt to https://technet.microsoft.com/en-us/library/security/3009008.aspx

However, for tls1.0, the forum already flagged your similar experience
Microsoft noted in KB 3045301 https://support.microsoft.com/en-us/kb/3045301 that Simple mail transfer protocol (SMTP) uses transport layer security (TLS) 1.0 in a Microsoft Exchange Server 2013 environment, even if you have enabled TLS 1.1 or TLS 1.2 because of a hard-coded restriction that limits SMTP to use secure sockets layer (SSL) 3.0 and TLS 1.0 for transport.Exchange CU8 fixes this. HOWEVER, we still cannot get Exchange 2013 CU8 to work after disabling SSL v3 and TLS v1.0 (on Server 2012)....the production system (which has a valid CA cert) will not connect any way if I disable SSL 3.0 and/or TLS 1.0. It also shows the blank page behavior in OWA and ECP from "inside".
https://social.technet.microsoft.com/Forums/en-US/8815dada-94b5-4d89-ad80-43f03705c551/support-for-tls-12-over-exchange-2013-on-server-2012?forum=exchangesvrsecuremessaging

You will need to enabled tls 1.0 at server since it is not mentioned to have work out for many .. and I suspect it is not supported too. At least from this TLS 1.0 is not suggested to be disabled.
https://technet.microsoft.com/en-us/library/security/3009008.aspx

Sidenote - But I do know the aspect that RC4 is considered weak and should be disabled. This may be used in client
http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.