Have a Question?
< All Topics
Print

Enable TLS 1.2 in Exchange 2010

Tutorial on how to enable TLS 1.2 in Exchange 2010 following my previous post on Provision Exchange 2010 with PowerShell

TLS 1.2 is NOT enabled on Windows 2008R2 Server with Exchange 2010 SP3 installed by default, and the following error message is prompted when accessing Outlook Web Mail (https://mail.aventis.dev) with Google Chrome

Enable TLS 1.2 in Exchange 2010

Enable TLS 1.2 in Exchange 2010 Server running on Windows 2008R2 Server

Verify whether TLS1.2 is enabled with sslscan

C:\Temp>sslscan mail.aventis.dev
Version: 2.0.0 Windows 64-bit (Mingw)
OpenSSL 1.1.1e-dev  xx XXX xxxx

Connected to 10.10.10.181

Testing SSL server mail.aventis.dev on port 443 using SNI name mail.aventis.dev

SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   enabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLSv1.2 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  128 bits  AES128-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  256 bits  AES256-SHA256
Accepted  TLSv1.2  256 bits  AES256-SHA
Accepted  TLSv1.2  128 bits  RC4-SHA
Accepted  TLSv1.2  112 bits  DES-CBC3-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  RC4-MD5
Preferred TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  256 bits  AES256-SHA
Accepted  TLSv1.0  128 bits  RC4-SHA
Accepted  TLSv1.0  112 bits  DES-CBC3-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Accepted  TLSv1.0  128 bits  RC4-MD5

  Server Signature Algorithm(s):
TLSv1.2  rsa_pkcs1_sha256

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  *.aventis.dev
Altnames: DNS:*.aventis.dev
Issuer:   Let's Encrypt Authority X3

Not valid before: Sep  7 02:20:58 2020 GMT
Not valid after:  Dec  6 02:20:58 2020 GMT

Enable TLS 1.2, and Disable TLS 1.1, SSL 2.0 & SSL 3.0 with the PowerShell below and reboot the server

# Enable TLS 1.2 on Windows 2008R2 
$Path ="HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\"
New-Item -Path $Path -Name "TLS 1.2"
New-Item -Path $Path\"TLS 1.2" -Name "Client"
New-Item -Path $Path\"TLS 1.2" -Name "Server"
New-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client' -Name "DisabledByDefault" -Value 0 -PropertyType "DWord"
New-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server' -Name "DisabledByDefault" -Value 0 -PropertyType "DWord"

# Disabled TLS 1.1 on Windows 2008R2 
New-Item -Path $Path -Name "TLS 1.1"
New-Item -Path $Path\"TLS 1.1" -Name "Client"
New-Item -Path $Path\"TLS 1.1" -Name "Server"
New-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client' -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"
New-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server' -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"

#Disable SSL 2.0
New-Item -Path $Path\"SSL 2.0" -Name "Server"
New-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server' -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"

#Disable SSL 3.0
New-Item -Path $Path -Name "SSL 3.0"
New-Item -Path $Path\"SSL 3.0" -Name "Client"
New-Item -Path $Path\"SSL 3.0" -Name "Server"
New-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client' -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"
New-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server' -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"

#Reboot Server
Restart-Computer

There error message is gone when accessing Outlook Webmail using Google Chrome now

ERR_RESPONSE_HEADERS_TRUNCATED

We do encounter the error message "ERR_RESPONSE_HEADERS_TRUNCATED" when login to Outlook Webmail

Resolution: Verify that Microsoft Exchange Forms-Based Authentication service is started.

Result from Qualys SSL Labs

Result from Qualys SSL Labs show that TLS 1.0 is enabled and we cannot disable TLS 1.0 yet until Update Rollup 30 for Exchange Server 2010 SP3 is installed

Update Rollup 30 for Exchange Server 2020 SP3

Download and install Visual C++ Redistributable Packages x64

Download and install Update Rollup 30 for Exchange Server 2010 SP3

Disabled TLS 1.0 and reboot Exchange 2010 Server

#Disabled TLS 1.0 on Windows 2008R2 
$Path ="HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\"
New-Item -Path $Path -Name "TLS 1.0"
New-Item -Path $Path\"TLS 1.0" -Name "Client"
New-Item -Path $Path\"TLS 1.0" -Name "Server"
New-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client' -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"
New-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server' -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"

Run sslscan mail.aventis.dev again to confirm that only TLS 1.2 is enabled

C:\Temp>sslscan mail.aventis.dev
Version: 2.0.0 Windows 64-bit (Mingw)
OpenSSL 1.1.1e-dev  xx XXX xxxx

Connected to 10.10.10.181

Testing SSL server mail.aventis.dev on port 443 using SNI name mail.aventis.dev

SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   disabled

Verify that TLS 1.0 is disabled, and users can login to https://mail.aventis.dev without any issue

Appendix

Verify the Exchange 2010 version installed

Verify the version of the existing Exchange 2010 Server by referring to Exchange Server build numbers and release dates

Get-Command ExSetup | ForEach {$_.FileVersionInfo}

ProductVersion   FileVersion      FileName                                                                                                                               
--------------   -----------      --------                                                                                                                               
14.03.0123.004   14.03.0123.004   C:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetup.exe
Table of Contents
Scroll to Top