Exchange 2010: Enable & verify TLS 1.2

The clock is ticking down to 31st October 2018 when Microsoft are going to disable TLS 1.0 & 1.1 in Office 365.

In preparation for this, I’ve been enabling & verifying TLS 1.2 for customers who have Exchange hybrid deployments with Exchange 2010 on-premises.

This article details how to prepare Exchange 2010 (Step 1), the Operating System (Step 2), and then verify that TLS 1.2 is supported (Step 3).  Note this article is specific to Exchange 2010, and only applies to enabling & verifying TLS 1.2, it doesn’t cover disabling TLS 1.0 & 1.1.

Step 1: Exchange 2010

Exchange 2010 needs to be at a minimum of SP3 RU19 to support TLS 1.2.

Verify the build number by running the following PowerShell command:

Get-Command ExSetup | ForEach {$_.FileVersionInfo}

e.g.

Ex2010Version

Take the ProductVersion value, and look it up here to determine what RU is installed.

In the example above, the ProductVersion returned is 14.03.0361.001.

14.03.0361.001 = Update Rollup 18 for Exchange Server 2010 SP3 (11th July 2017).

In this example, the minimum RU isn’t satisfied, therefore RU 19 or later needs applied.  Right now (11th October 2018) that is Exchange 2010 SP3 RU22 (19 June 2018).

The latest version of .NET 3.5.1 and patches also need to be installed.

Step 2: Operating System

When Exchange is at RU19 or later, look at what needs to be done to enable TLS 1.2 support in Windows Server.

  • Windows Server 2008 SP2: TLS 1.2 is not supported by default.
  • Windows Server 2008 R2 SP1: TLS 1.2 is supported but disabled by default.
  • Windows Server 2012: TLS 1.2 is the default SChannel Security Protocol.

Windows Server 2008 SP2

Ensure the latest Windows updates are applied, this must include:

  • KB4019276 to add TLS 1.2 capability as a default secure protocol for SChannel.
  • KB3161949 for the current version of WinHTTP.

Install 3154517 for .NET Framework 3.5.1.

Windows Server 2008 R2 SP1

Ensure the latest Windows updates are applied, this must include:

  • KB3161949 for the current version of WinHTTP.
  • KB3080079 to add TLS 1.2 capability to RDS (optional).

Install 3154517 for .NET Framework 3.5.1.

Windows Server 2012

Ensure the latest Windows updates are applied, this must include:

  • KB3161949 for the current version of WinHTTP.

Install 3154517 for .NET Framework 3.5.1.

Step 3: Enable & verify TLS 1.2

When the above steps have been completed, registry settings need to be added to Enable TLS 1.2 for SChannel, and Enable TLS 1.2 for .NET 3.5.

TLS 1.2 for SChannel

Import the following:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

.NET 3.5

Import the following:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001

REBOOT

Verification

I verified TLS 1.2 using OpenSSL (download a Windows version here).

No TLS 1.2 support (pre-the above work):

openssl s_client -connect ex2010.x500.co.uk:25 -starttls smtp -tls1_2
CONNECTED(000000EC)
14376:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
:ssl\statem\statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 3849 bytes and written 258 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1539162946
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

TLS 1.2 supported (post-the above work):

openssl s_client -connect ex2010.x500.co:uk25 -starttls smtp -tls1_2
CONNECTED(000000EC)
[detail removed]
---
Certificate chain
[detail removed]
---
Server certificate
-----BEGIN CERTIFICATE-----
[detail removed]
——END CERTIFICATE-----

---
No client certificate CA names sent
Peer signing digest: SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3958 bytes and written 433 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 1C320000032484DC824C89DF2B0821C4040A1FC70B06B896B9B8BB58E55F23E4

Session-ID-ctx:
Master-Key: 714F81D66A7DA4D7AC1E86F336AD0489EADCD1023587804BB5C0366C836B6C91
F6015A48FCEC5905C5D09508392239DA
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1539260846
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes

Ready for 31st October 2018, sorted!

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s