Disabling SSL 3.0 in Lync Server 2013 and Skype for Business Server 2015

If you recently tried to check on a certificate on DigiCert – SSL Certificate Checker (https://www.digicert.com/help/), you may have noticed the following warning:

 SSL3-01

DigiCert added this verification due to a vulnerability that was discovered a few days ago. For more information about this vulnerability, check the following articles:

Vulnerability Summary for CVE-2014-3566
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

This POODLE bites: exploiting the SSL 3.0 fallback
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html

Microsoft also released a Security Advisory describing how to disable SSL 3.0 on the client and server side:

Microsoft Security Advisory 3009008
Vulnerability in SSL 3.0 Could Allow Information Disclosure
https://technet.microsoft.com/en-us/library/security/3009008.aspx

This Security Advisory mentions that, in order to disable it in the server, you need to add a key to the registry. To make things easier, here is the command to run on Command Prompt:

reg add “HKLMSystemCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server” /v Enabled /t REG_DWORD /d 0 /f

After changing this, a restart to the Lync Services will be enough to apply the new configuration:

Stop-CsWindowsService
Start-CsWindowsService

Note: If you use ARR for publishing Lync External Web Services, you can also disable SSL 3.0 in those servers with the same command and restart IIS (iisreset).

Finally, you can check it again using the DigiCert – SSL Certificate Checker (https://www.digicert.com/help/):

SSL3-02

In case you need to rollback, simply remove the key and restart the Lync Services:

reg delete “HKLMSystemCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server” /v Enabled

3 thoughts on “Disabling SSL 3.0 in Lync Server 2013 and Skype for Business Server 2015

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.