Link to home
Create AccountLog in
Avatar of Randy
RandyFlag for United States of America

asked on

Can't get TLS 1.2 to work on Windows Server 2008 R2 with Exch 2010

I am trying to get my install of Windows Server 2008 R2 Standard SP2 (I tried to install SP3 but it failed) and Exch 2010 to use TLS 1.2.  I've made the recommended registry entries and enabled it but using TLS checker it is still showing TLS 1.0 no matter what I do.  The problem is that many servers will not connect to TLS 1.0 so much of my mail is now returned as undeliverable to me.  I now use a backup mx (which will connect to my server using TLS 1.0) which gets my mail and relays it to me but that can take 15 minutes before I receive it.


Can anyone help with this?  I can post pictures of my registry entries, etc.

Avatar of M A S
M A S
Flag of United States of America image

Hi Randy,

Please follow this article and restart the server.

https://tecadmin.net/enable-tls-on-windows-server-and-iis/

I hope you aren't going to let that security nightmare touch the internet...

So you're directly receiving email on a Windows 2008 R2 box running Exchange 2010. Both the OS and Exchange are two major versions past end of security updates. Please do yourself and the organization a favor and migrate to a different/newer email and messaging platform. It likely has multiple different threat actors in your Exchange server. It has known vulnerabilities, and you can't patch it. The longer you wait, the harder it will be to migrate because getting things to work with Exchange 2010 will get harder and harder as the industry prunes compatibility with older unsupported systems. 

Avatar of Randy

ASKER

MA - I had previously made these changes manually and checked all.  All are as in the .reg files except I do not have keys for SSL 3.0 or TLS 1.1.  Other than that everything is exactly as in the .reg file.  I run checktls on my server (mail.rackson.org) and it produces an error.  Can you please run checktls yourself and let me know what you think? Thank you!


Kevin, I know.  I just use this for home use to share calendars and in house email with my assistant and kids and I don't want to put in the time or money to upgrade at this point.  But I totally get your perspective.  My main concern is the annoying 15 minute delay in receiving emails.

Avatar of Randy

ASKER

M A - In the meantime is it ok to leave TLS 1.0 enabled so I can still receive email while you guys help me with this?

 I've made the recommended registry entries and enabled it but using TLS checker it is still showing TLS 1.0 no matter what I do.  


that's by design

if you are able to get SP3 and update rollup 9 installed then it should work with 1.2


SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2010 environment

https://support.microsoft.com/en-us/topic/smtp-is-not-transported-over-tls-1-1-or-tls-1-2-protocol-in-an-exchange-server-2010-environment-3fcc404a-012b-fc59-e8fc-c396fece971b

Avatar of Randy

ASKER

Actually checktls was showing nothing without tls 1.0 reenabled so I reenabled it.  Is sp3 required for sp2 1.2?

Avatar of Randy

ASKER

And I can't get rollup 9 as its not available (as you said) - do I really need to install it?  Shouldn't it work with SP2 so long as I disable TLS 1.0 (which I did to no avail)?

Did you look in the Microsoft catalog? Exchange 2010 update rollups still seem to show...

https://www.catalog.update.microsoft.com/search.aspx?q=exchange+2010

Avatar of Randy

ASKER

Can I try rollup one of the later rollups (32) even though I've been updated the server ongoing whenever I get the icon?  Is there any risk to trying for example rollup 32 from March 2021?

Exchange Server 2010

The servicing model for Exchange 2010 uses service packs and update rollups. A service pack is a complete build of the product that includes all previous updates. An update rollup applies to a specific service pack, and includes all previous updates that were included in previous update rollups for that service pack.

What you should install for new servers

When you’re installing a new Exchange 2010 server, you should install the latest service pack, followed by the latest update rollup for that service pack. You can find details of the most recent service pack and update rollup for Exchange 2010 on the Exchange Server Build Numbers page on TechNet.

How to handle updates for existing servers

The steps for updating Exchange 2010 servers depends on which service pack you’re currently running. If you’re running RTM, SP1, or SP2, you’ll need to install SP3 first, then apply the latest update rollup. You can upgrade to SP3 from any previous version of Exchange 2010. You do not need to install SP1 and SP2 first.

If you’re already running Exchange 2010 SP3, you can just apply the latest update rollup. You can update directly to the latest update rollup. For example, if you’re running SP3 with UR10, you can apply update rollup 14 without installing UR11, UR12, and UR13 first.

Avatar of Randy

ASKER

Ah..so I would need to find SP3 and get it to install first (I tried once and it failed for some reason).  But I thought TLS 1.2 to worked on SP2?

I would make sure server 2008r2 was fully up to date, reboot, and try SP3 right after the reboot...

SP3 is basically a full install of 2010 but it is able to upgrade...

If the sp fails look up the error codes and see if you can find info on google...

TLS 1,2 is right in the transition era of exchange and I do not remember which service pack was needed, but sp3 seems to ring a bell...

Also I think I remember sp3 needing a newer visual c++ runtime but I am not sure..



Avatar of Randy

ASKER

Thanks Scott. I checked and what I have running is Version 14.1 Build 218.15. Does that say anything about what SP I'm running?

Avatar of Randy

ASKER

So Scott, my steps should be:

1.   Clone the disk as a backup

2.   Try (again) to install SP3

3.   Install rollup 32

4.  Pray it all works?


...or should I just live with the 15 minute delay?

Shouldn't it work with SP2 so long as I disable TLS 1.0 (which I did to no avail)?


if you look at the article I referenced, it is hardcoded

even if you change how the OS handles TLS versions, exchange (prior to SP3 update 9) will ignore that and use 1.0


SP3 is basically a full install of 2010 but it is able to upgrade... 


hmm...didn't think the service packs were the actual full version you can install from until exchange 2013 or 2016 - though it has been quite a while since i worked with exchange 2010


Clone the disk as a backup 


not exactly what I would do as there is so much exchange integration with AD so highly discourage it

I would make sure I have a good full backup of the system

If I did choose to clone, would do the entire vm not just one drive


Try (again) to install SP3


I don't see it available for download but if you already have it, yes try again and report back any errors


Install rollup 32 


problem is, I don't think these are cumulative so it doesn't include all previous updates - especially since the download size is only 56mb

you could try just update 9 and see if that fixes it (though getting to 32 would be ideal)


https://www.catalog.update.microsoft.com/Search.aspx?q=exchange%202010%209

Where do you need TLS1.2 to work? Web based OWA access, IIS. The connection between your email client where TLS1.2 and higher is all that is available.
Been a while, but TLS1.2 was supported

https://www.microsoft.com/en-us/security/blog/2017/07/20/tls-1-2-support-added-to-windows-server-2008/

If you have a WSUS server, you could see whether you can pull the update from MS.
Avatar of Randy

ASKER

I'll try and find sp3 and see what happens but I'm not with the physical box until 1/14.  I guess I'll just leave this open...

Avatar of Randy

ASKER

Thanks Scott!

Avatar of Randy

ASKER

Thanks Scott!

the SP3 of which you speak is for Exchange 2010?

The TLS is provided by the System, server 2008.

See if this helps.

https://aventistech.com/kb/enable-tls-1-2-in-exchange-2010/
Avatar of Randy

ASKER

I ran sslscan and it looks like tsl 1.2 is enabled.  Does this output help anyone see why it is not working (checktls report tls 1.0 only)?

User generated image


if you have access  to openssl (whether installed on a windows system or you have access to a linux one)

you reference exchange which component are you looking for the TLS1.2 is to connect to the the IMAP, SMTP encrypted ports or you use the OWA http proxy which will deal how the IIS setup handles the encryption for the connections:

openssl s_client -connect hostname:port [-starttls SMTP]

Using the above, you can test the types of connections available on the server side.
-tls1_2 will turn TLS1.2 only for the connection attempt

-no_<protocol> will disable protocol from being available for the connection

slllabs.com has a server tester portion which might be helpful if the above referenced tool is not
Avatar of Randy

ASKER

TLS Check.pdf

I ran a test and it seems I'm having a problem with my "key exchange" but I have no idea what that is or what to do about it.  HELP! See attached.


The TLS running on port 443 is completely different from the TLS that mail is running over as they are different protocols and apps...

User generated image


Also how your MX looks to the world...

User generated image


And you have to fix the blacklisting...

User generated image


Avatar of Randy

ASKER

I'm not sure how any of that connects with my exchange server only being able to receive mail from servers that support TLS 1.0? This is a small home setup but the delay by having mail routed through the backupmx provider is annoying.

your PDF reflects that both TLS 1.2 and sslv3 are enabled and this is the reason you get a C.
With the older Server 2008, disabling options like sslv3 could have adverse consequences dealing with remote access (RDP) ....


MX and SMTP communications are not encrypted, plain text.

AS long as you make SSLv3 available, it will be seen as insecure from the outside.

The Secure Flow from your Backup MX is a Configuration issue.

The report is based on access to port 443

did you restrict IIS, or system wide tls1.2 and sslv3 available for the server side only?
Setup another Transport on port 465 and see if you can have your backup MX configured to transmit over that channel.
Check the STARTTLS configuration on your exchange server, to make sure it offers TLS1.2 connections.

You have SSLv3 and TLS 1.0 as the available options.
see if this helps identify where you made the choices.
https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-tls-configuration?view=exchserver-2019







As we have said before you need to get your exchange somewhere past the initial install... Those newer protocols came out after 2010 first came out and getting your installation more current will probably het things working...

Your server only supports tls 1.0.

Go here and put in your domain rackson.org and you get some details...

https://luxsci.com/smtp-tls-checker

Avatar of Randy

ASKER

If you look above at the results of sslscan.exe on the exchange server it looks like tls 1.2 is enabled on exchange.  But when I ran the tls analyzer it is showing a "key" problem, which I don't understand.  I'm not technical enough to understand what is going on or reconcile these two sets of results. Can anyone help with that?  Is my problem with Windows 2008 R2 or with Exchange 2010? My backupmx is a 3rd party service.

A lot of the content you have shown is checking the webmail access ports on 443...

Mail does not use those ports.

sslscan is checking the web server ports.

Exchange needs to be at a minimum of update rollup 19 and sp3 for TLS 1.2 to work with email...

Unless you do this it will NOT work...


Here is your SMTP STARTTLS agreeing to talk SSLv3
subject=/CN=mail.rackson.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5134 bytes and written 499 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DES-CBC3-SHA
    Session-ID: 320900007CFB8A856CB3C871FC3F0F836FA0736F8F5DEC0A061603DD0247C750
    Session-ID-ctx:
    Master-Key: 00058DB37573A1B48E27A6D38CDC311CBC969B38A6AB3AD86D50F12FEF8E944595F0DE121207B001617D85D1CA9A1670
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1704836656
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Open in new window


Here is the example of TLS1

subject=/CN=mail.rackson.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5449 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 103800003D5F885C8EFBBCE4A47F5D058477EABA446E6A8F2B0797BD0CE8EF65
    Session-ID-ctx:
    Master-Key: 07D363A36B1E7520AF09E80A4CBDD712C32C96AFBD40B03153681E9A86974DA3EB9139BCE8ABD37D7A4E3022443B6F21
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1704836635
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Open in new window


SSlv2, TLS1.1 and TLS1.2 are not an available options.

They get the message Protocol line omitted.
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:

Open in new window

Avatar of Randy

ASKER

Thanks Arnold!  So, I definitely do need to upgrade to SP3, correct?  I tried that once and ran into a problem but I will try it again over the weekend and post any errors I get.  Will you check back on this thread please?

As I said try your install after a fresh reboot...

also make sure you have any prerequisites installed first... SP3 might have different runtimes required...

https://petri.com/install-microsoft-exchange-2010-sp3/


The issue is always with aging software.

Check the health of your exchange to make sure it is not in a state that contributes to the failure of the update.
Avatar of Randy

ASKER

How would I check health Arnold?

https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-health-checker-has-a-new-home/ba-p/2306671

This provides access to the prior, version 2 that supported exchange 2010.
http://web.archive.org/web/20210507170113/https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/

You'll get a few redirect notices, but it will eventually download the version that should work with exchange 2010.

Identifying why SP3 fails to update is ....

Avatar of Randy

ASKER

If I just try and run SP3 and it fails, will it back out any changes and leave me where I am now?  

Check the health First.

You previously mentioned that you Ran SP3 and it failed.

That is the issue, the SP3 is package of several updates.
Some may have succeeded, or were not needed, an update that was applied failed at which point the SP3 either rolled back what it could or simply exited.

Which version of Exchange SP3 do you have?

The last SP3 update rollup was released on March 2nd 2021.

Do you have a WSUS server in your environment where you can check which SP3 version you are applying or pull in a more recent one available from the MS update catalog?
they range from Rollup 2 August 13 2013 through rollup 32 as referenced above.

See a heads up on Exchange updates re sp3.
https://community.spiceworks.com/topic/2311675-problem-after-installing-microsoft-update-for-exchange-2010-sp3

Avatar of Randy

ASKER

I downloaded the latest from 2021. I will run the health test and try to install it on Sunday.  If it fails will i be back where i was? This is a simple single server running 2008r2 and exch 2010 with no other components.

See which Build version of Exchange 2010 you have installed

https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019#exchange-server-2010

Look at the notice in the link, warning

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459

This should be removable through add/remove programs. appwiz.cpl

When installing the update, do you elevate, run as administrator.

Far removed, and unsupported.
monitor the windowsupdate.log and the application, system log for the updates.

Backups?
Do you have an option to quickly setup a VM using sysinternals disk2vhd/x

and try to see if you can virtualize the current exchange for a test environment purposes....

then you can apply this update and see what happens, make sure the VirtualM copy, is never on the same LAN (does not get a LAN ip).....
Avatar of Randy

ASKER

Build is 218.15

I would try installing the last update rollup for your non SP version, reboot and then see if sp3 will install. As I said before you have a base install of the original exchange with zero maintenance done...


IT looks like you have the SP1 august 2010.
Using the Catalog, look to get the rollup 8 for SP1
Then rollup 8 for exchange SP2 then apply the SP3 update you downloaded.
Confirm version after each update.

This update path might be smoother then trying to skip SP 2.
Avatar of Randy

ASKER

Ok. Thanks Arnold. No need to run those other steps elevated correct?

I think when you are applying the updates, msp files you download, you have to run it elevated.

If you are delivering the updates from. Wsus, it runs the uodate via/under system privileges, elevated.
Avatar of Randy

ASKER

Good morning Arnold.  It looks like I have rollup 8 already installed.  In that case, what do you suggest I do?


User generated image


Get the highest for Service Pack 2.
This gradual while taking longer, may provide a more successful upgrade path.

Avatar of Randy

ASKER

Sorry, where is sp2 and rollup 8 for sp2. I'm sorry if you already told me.  Can i actually hire you to do this remotely for me Arnold? 

Avatar of Randy

ASKER

The link in your message is to "Rollup 29 for Exchange 2010 SP3".  Is that what I should install for SP2?

Take out the Microsoft from the search and it should provide a listing for rollup 8 for SP 2.
Did not realize the link I copied and posted was not the intended link.
But it is searchable and .....
Avatar of Randy

ASKER

But I'm at sp1 currently no? 

Yes, you are trying to get to SP3 to fix the  available TLS options within exchange, right?

It is difficult to.identify which update will add the option within exchange to allow a higher 1.1, 1.2 versions.

Does your OWA setup, IIS if internet accessible, it does show that 1.2TLS is available?

Can you check the 25 transport, STARTTLS whether it has a security option for 1.1 and 1.2 that is just not enabled at the moment?
Avatar of Randy

ASKER

So I found and will install rollup 8 for SP2 using an elevated command prompt on top of my rollup 8 SP1 installation (my current state), correct Arnold?

Located the minimum level update you need to get to
Rollup 9 for SP3


which is what I stated near the beginning before all this back and forth


I'll try and find sp3 and see what happens but I'm not with the physical box until 1/14. 


have you tried this yet?

unless it is explicitly stated somewhere, should be able to go from where you are to SP3 unless there is something wrong with your environment to cause the upgrade to fail

Avatar of Randy

ASKER

Project for thursday Seth. My plan is to follow Arnold's advice which is run a health check, then rollup 8 for sp2, then rollup 9 for SP3 unless you guys think differently?

As I said, you cannot run update rollup 8 for SP2 while you are still on SP1...


I suggest following this guide I found...


https://www.experts-exchange.com/articles/10389/Steps-for-Upgrading-Exchange-2010-SP1-or-SP2-to-SP3-with-Latest-Rollup.html


Avatar of Randy

ASKER

I misunderstood. So, what do I run while on SP1 to do one step at a time or should I go directly to SP3 elevated and give it a try Scott?

I edited my previous post with a guide for updating from SP1 to SP3.

I'm guessing your previous failure with SP3 was because you didn't install any new prerequisites...





ASKER CERTIFIED SOLUTION
Avatar of Randy
Randy
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer