Support for TLS 1.2 over Exchange 2013 on Server 2012?

Greetings,

We're trying to roll out TLS 1.2 in our test environment and can't seem to get Exchange to work with the protocol.

We've been using this method to enable TLS 1.2 (and disable the other protocols - TLS1.0, SSL2.0, SSL3.0, PCT1.0): http://www.adminhorror.com/2011/10/enable-tls-11-and-tls-12-on-windows_1853.html

We originally tried using Exchange 2010 on 2008 R2, but then I ran across this article saying that it is not supported: http://support.microsoft.com/kb/2709167/en-us

We've since tried to set it up with Exchange 2013 on Server 2012. Still no luck. The only time Exchange wants to work is when TLS1.0 is enabled.

I suspect that TLS1.1 and TLS 1.2 are also not supported on Exchange 2013, or that I'm changing the wrong registry keys, but I wanted to find confirmation. I've searched extensively and can't find any documentation leading me to believe one way or the other if it's supported.

Any help or insight would be greatly appreciated. Thanks!

--Aric

August 19th, 2013 8:12pm

Hello,

At present, there isn't published article to state the issue.

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2013 6:00am

Same issue here.

Any update on support for TLS 1.2 on Exchange 2010 or Exchange 2013?

August 20th, 2014 6:14am

Hi,

did you have any updates in this issue.

Microsoft wrote in the kb2709167 that it is a bug but i dont see any Information for a hotfix.

The other question what i have is, which tool do you use to check which TLS Version Exchange is using?

It would be great if you have any feedback or tip for me, thanks.

Cheers

Tobi

Free Windows Admin Tool Kit Click here and download it now
November 17th, 2014 3:09pm

hi All,

Even i have tried enabling TLS 1.2 on Exchange 2013 from registry. i followed the below article.

http://jackstromberg.com/2013/09/enabling-tls-1-2-on-iis-7-5-for-256-bit-cipher-strength/

When i check OWA in chrome and check the connection information it says "The connection uses TLS 1.2.

However when i run the below command to check for TLS 1.2 i get the following O/P.

Command: java -jar TestSSLServer.jar ns-ex13.gtestexchange.com 443

O/P:

Supported versions: SSLv3 TLSv1.0 TLSv1.1
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  SSLv3
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
  TLSv1.0
     RSA_WITH_RC4_128_MD5
     RSA_WITH_RC4_128_SHA
     RSA_WITH_3DES_EDE_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_256_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  (TLSv1.1: idem)
----------------------
Server certificate(s):
  1979e6bdbd9b8e197d00c45534959eaba82b6f40: CN=ex10.gtestexchange.com, OU=Domain
 Control Validated
----------------------
Minimal encryption strength:     strong encryption (96-bit or more)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: protected

===================================================

It doesnt says anything about TLS 1.2.

Any suggestions from your side?

 

November 28th, 2014 7:14am

Hi,i take this question to Microsoft Case and I get the following answer:

The TLS 1.2 is only running if you use CU6 for Exchange 2013.

Did you installed it?

Free Windows Admin Tool Kit Click here and download it now
December 1st, 2014 8:34am

Microsoft noted in KB 3045301 https://support.microsoft.com/en-us/kb/3045301 that Simple mail transfer protocol (SMTP) uses transport layer security (TLS) 1.0 in a Microsoft Exchange Server 2013 environment, even if you have enabled TLS 1.1 or TLS 1.2 because of a hard-coded restriction that limits SMTP to use secure sockets layer (SSL) 3.0 and TLS 1.0 for transport.Exchange CU8 fixes this.

HOWEVER, we still cannot get Exchange 2013 CU8 to work after disabling SSL v3 and TLS v1.0 (on Server 2012). When we disable these protocols, SMTP mail stops flowing inbound and outbound, and the Exchange Admin Program (ECP or EAP) web access shows a blank page after logging in. Also, Outlook 2010 and mobile devices can't access the server.

Our Digicert SSL is fine, and we regenerated a new cert just in case, but still nothing. We changed the ordering of the Cipher Suites per the link posted above, and still nothing. We also performed a
netsh http delete sslcert ipport=0.0.0.0:444
and re-added it with:
netsh http add sslcert ipport=0.0.0.0:444 certhash=xxxxx appid="{xxxxx-yyyy}"
and still nothing.

Has anyone successfully disabled SSL v3 and TLS 1.0 on Exchange 2013 and has it working? If so, HOW?

Thanks.

April 30th, 2015 12:45pm

Probably not much help but here is my $0.02

I have 2 Exchange 2013 servers running on 2012 R2 Std servers. One is a test lab system and other is in production. They are in different physical locations.

I used the registry settings to disable SSL 3.0 and TLS 1.0 in my test server. OWA and POP/IMAP work fine. Outlook anywhere doesn't because I let that CA cert expire. It would appear that a CA cert doesn't matter for this set up (other than OA). 

OTOH, the production system (which has a valid CA cert) will not connect any way if I disable SSL 3.0 and/or TLS 1.0. It also shows the blank page behavior in OWA and ECP from "inside".

Became a little exciting for a little while. 

So far, I have not found the reason. Both Exchange servers are at RU 7 (V15 Build 1044.25).

I am investigating. Any tips greatly appreciated.

(edit) I am in the process of installing CU 8 in the test system to see if that changes anything. Backup, prior to install, running now.

Free Windows Admin Tool Kit Click here and download it now
May 11th, 2015 9:32am

Completed the update to CU8. Oddly, it re-enabled SSL 3.0 and TLS 1.0. Disabled them, rebooted and it is working OK. I still have no clue why it works on the test system and not production (maybe different certs after all?). I can't do much more until the weekend, maybe install CU8 on it. Seems a little early for that.


May 12th, 2015 9:32pm

Lou, any progress on your production server? No matter what is done, if TLS 1.0 is disabled on a CU8 patched Exchange 2013 production server, SMTP mail flow stops for us.  I've searched and found others say everything is fine after disabling TLS 1.0?  Just does not make sense?  Anyone think this is a CU8 bug?  I've tried minimal cipher suites, all cipher suites etc, all which don't seem to matter. Only disabling TLS 1.0 causes mail flow to stop? So frustrating that such a simple settings change causes so much grief. Thanks for hearing me out. Kevin

Free Windows Admin Tool Kit Click here and download it now
May 27th, 2015 1:57pm

No, but I have had other fish to fry and haven't worked on it. I hope to work on it this weekend. I am not optimistic. I will install CU8 but I see others have done that and no fix. 

My test server has a self signed cert, the production server has CA cert. Don't think that should matter but who knows. 

Lou

May 27th, 2015 2:48pm

No surprise. Installed CU 8 today, tried disabling them again and same result. 

Not sure what to try next...

Lou

Free Windows Admin Tool Kit Click here and download it now
May 30th, 2015 3:30pm

Hi All,

I updated my customers Exchange 2013 installation to CU9 last night (CU9 was released on 06/16/2015 https://www.microsoft.com/en-us/download/details.aspx?id=47679).  However, the issue still remains on CU9; disabling TLS 1.0 breaks exchange (blank OWA page, can't load ECP, SMTP mail flow ceases and outlook can't connect).

Just wanted to share that, at least for me, CU9 still doesn't address this issue.

Server information:  HP DL360p Gen 8, Windows 2008 R2 Enterprise w/SP1, Exchange 2013 Standard CU9.

Oh yeah, I almost forgot to mention, when TLS 1.0 was disabled, I could no longer make an RDP connection to the Exchange 2013 server.  I had to use HP's ILO (integrated lights out) in order to get into the server remotely and undo my changes.  Did any of you also experience RDP not working after disabling TLS 1.0?

July 22nd, 2015 12:22pm

I did not have RDP problems, I connect from SOHO via VPN. Have not installed CU-9 yet.

Lou

Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2015 4:21pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics