Hi all,

Due to the POODLE vulnerability and TLS 1.0 showing as enabled on one of our external scans, we were informed that we would need to disable SSL 3.0 and TLS 1.0 on our Exchange server.

Apparently, this wouldn't even be possible until Update Rollup 9 was released on 3/16/15:

Rollup resolves:

KB 3029667 SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2010 environment

After installing this update, SSL 3.0 and TLS 1.0 were disabled and the servers rebooted (cross site, same domain, two Exchange servers).  After resolving some issues with certificates that apparently broke as a result of the changes, we found that EWS was not working - the log full of these errors:

Process 5776: ProxyWebRequest CrossSite from S-1-5-21-3895483984-2032760896-3917300074-1259 to https://mail.exchange.com:443/ews/exchange.asmx failed. Caller SIDs: NetworkCredentials. The exception returned is Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

------------------------------------------------------

The EWS directory in IIS on both servers are set to use Anonymous and Windows Authentication.  The main issues observed outside of the above errors was that free/busy information could not be viewed.

After rebuilding the EWS virtual directory and a couple reboots later, we tried enabling TLS 1.0 on both servers, rebooted, and there were no more EWS errors to be found - free/busy was also working.

So it appears that although this rollup allows SMTP to use TLS 1.1 or 1.2, EWS is still attempting to use TLS 1.0, and I don't see that it is possible to change this

Hi,

Thank you for your post.

This is a quick note to let you know that we are performing research on this issue.

Best regards,

Hi,

How did you disable TLS 1.0 on exchange server?

In addition, when you disable TLS 1.0 on the server, please try to disable TLS 1.0 on the client as well, and then check if the issue persist.

I recommend you disable TLS 1.0 protocol by following these steps:

• Browse to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ key.
• If there is not a key under there called TLS 1.0, create it.
• Under TLS 1.0, create a key called Client and a key called Server.
• For both Client and Server, add a DWORD value to each called Enabled and set it to 0 (This will disable TLS 1.0).

Best regards,

Just as an update to this, we eventually opened a ticket with Microsoft regarding this, who confirmed that this is now a known issue, and TLS 1.0 cannot be disabled without affecting Exchange Web Services in Exchange 2010.  They did not confirm if/when this would be resolved.

• Marked as answer by 5801ptbac 18 hours 17 minutes ago

Just as an update to this, we eventually opened a ticket with Microsoft regarding this, who confirmed that this is now a known issue, and TLS 1.0 cannot be disabled without affecting Exchange Web Services in Exchange 2010.  They did not confirm if/when this would be resolved.

• Marked as answer by 5801ptbac Wednesday, May 27, 2015 1:11 PM

Just as an update to this, we eventually opened a ticket with Microsoft regarding this, who confirmed that this is now a known issue, and TLS 1.0 cannot be disabled without affecting Exchange Web Services in Exchange 2010.  They did not confirm if/when this would be resolved.

• Marked as answer by 5801ptbac Wednesday, May 27, 2015 1:11 PM

Do you have a solution for this as yet ?.. Have the same issue and you immediately FAIL PCI compliance if its enabled

Do you have a solution for this as yet ?.. Have the same issue and you immediately FAIL PCI compliance if its enabled

Hello Cory,

There is currently no solution to this yet, and apparently the same issue exists in Exchange 2013.  The following thread on Spiceworks was very helpful:

http://community.spiceworks.com/topic/608560-exchange-2010-poodle-and-security?page=2#entry-4671767

One poster initiated a dispute with the PCI compliance vendor and it was approved, so that is a good sign.  Our company will be undergoing a scan later this month, so we will likely do the same thing to avoid failing.  I will post an update once that has been done to let you know if they (Trustwave) has also accepted the dispute.  I imagine there are several other customers out there going through the same struggle.

Add me to the list on this; many customers failing PCI tests, and now I'm sitting on my hands waiting for Microsoft to fix this issue, as Out Of Office, my customer's main concern, is not available in Outlook, and they consider it quite a hassle to use OWA to set it. At least email is working! Sheesh. It is interesting to know that you can dispute TLS 1.0 and get approved; might have to do that.

One question: I have disabled TLS 1.0 and SSL 3.0 on the servers in question, and i am wondering about running the Update Rollup 9. Do I need to do anything after applying this update to tell Exchange to use TLS 1.1 or 1.2, or will it automatically begin using one of these protocols? I can't seem to find anything about it when I search. Thanks for considering!

Add me to the list on this; many customers failing PCI tests, and now I'm sitting on my hands waiting for Microsoft to fix this issue, as Out Of Office, my customer's main concern, is not available in Outlook, and they consider it quite a hassle to use OWA to set it. At least email is working! Sheesh. It is interesting to know that you can dispute TLS 1.0 and get approved; might have to do that.

One question: I have disabled TLS 1.0 and SSL 3.0 on the servers in question, and i am wondering about running the Update Rollup 9. Do I need to do anything after applying this update to tell Exchange to use TLS 1.1 or 1.2, or will it automatically begin using one of these protocols? I can't seem to find anything about it when I search. Thanks for considering!

Hi Kuptime,

After installing Rollup 9 and ensuring 1.0 and SSL 3 are disabled, SMTP should begin using 1.1 or 1.2 without further changes.  As you mentioned, Exchange Web Services (Out of Office, Free/Busy) will not function correctly with this current implementation.