disable TLS 1.0

To become PCI compliant I need to disable SSLv 2 & 3 as well as TLS 1.0 on my mail server.  On my mail server I tried to disable all of those and enable TLS 1.1 and 1.2.  It was all good until I tried to disable TLS 1.0 which left just TLS 1.1 and 1.2.  This is when my mail wouldn't work for my company.

We have a hub 2010 Exchange server on server 2008 R2 SP1 that all my settings are setup on.  We also have a 2010 Exchange Database server on Windows Server 2008 R2 SP1. (Do I need to make SSL/TLS changes on this server to?)

I put the usual reg keys to disable:

disabledbydefault - Dword value of 1
Enabled - Dword value of 0

enabled TLS 1.1 and 1.2:

disabledbydefault - Dword value of 0
Enabled - Dword value of 1

I hope this is enough information.

Thanks,

Kevin
klock60Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Indeed disabling SSL V3.0 on the Windows Server hosting Exchange server application wil not affect classical Exchange services. All clients such as Outlook and IE will continue to work seamlessly with the Exchange services. Wrt to https://technet.microsoft.com/en-us/library/security/3009008.aspx

However, for tls1.0, the forum already flagged your similar experience
Microsoft noted in KB 3045301 https://support.microsoft.com/en-us/kb/3045301 that Simple mail transfer protocol (SMTP) uses transport layer security (TLS) 1.0 in a Microsoft Exchange Server 2013 environment, even if you have enabled TLS 1.1 or TLS 1.2 because of a hard-coded restriction that limits SMTP to use secure sockets layer (SSL) 3.0 and TLS 1.0 for transport.Exchange CU8 fixes this. HOWEVER, we still cannot get Exchange 2013 CU8 to work after disabling SSL v3 and TLS v1.0 (on Server 2012)....the production system (which has a valid CA cert) will not connect any way if I disable SSL 3.0 and/or TLS 1.0. It also shows the blank page behavior in OWA and ECP from "inside".
https://social.technet.microsoft.com/Forums/en-US/8815dada-94b5-4d89-ad80-43f03705c551/support-for-tls-12-over-exchange-2013-on-server-2012?forum=exchangesvrsecuremessaging

You will need to enabled tls 1.0 at server since it is not mentioned to have work out for many .. and I suspect it is not supported too. At least from this TLS 1.0 is not suggested to be disabled.
https://technet.microsoft.com/en-us/library/security/3009008.aspx

Sidenote - But I do know the aspect that RC4 is considered weak and should be disabled. This may be used in client
http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.