Disabling SSLv3

SSLv3 is an obsolete protocol, the main attack vector on which, at the time of writing, is an attack called POODLE. Disabling SSLv3 is the ultimate solution to mitigate security risks. Another option suitable for servers that critically require SSLv3 support is a signalizing TLS_FALLBACK_SCSV cipher suite that allows to keep SSLv3 enabled, but prevents downgrade attacks from higher protocols (TLSv1 =< ). Unfortunately, at the time of writing, Microsoft didn’t yet add support for TLS_FALLBACK_SCSV in SChanel. Therefore, disabling SSLv3 is the only mitigation measure a certificate administrator can apply against POODLE in case of a Windows Server.

  1. Open registry editor:

    Win + R > regedit

  2. Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

    Hardening_9.jpg

  3. By default, there should be only one key presented “SSL 2.0”. We need to create a new one for SSLv3

    Right-click on “Protocols” > New > Key

    Name the key “SSL 3.0”

    Hardening_10.jpg

  4. Right-click on “SSL 3.0” > New > Key

    Hardening_11.jpg

    Name the key “Server”

  5. Right-click on “Server” > New > DWORD (32-bit) Value

    Hardening_12.jpg

    Name the value “Enabled”

  6. Double-click the “Enabled” value and make sure that there is zero (0) in the “Value Data” field > click “OK”

    Hardening_13.jpg

  7. You may need to restart Windows Server to apply the changes.

Comments

We welcome your comments, questions, corrections and additional information relating to this article. Your comments may take some time to appear. Please be aware that off-topic comments will be deleted.

If you need specific help with your account, feel free to contact our Support Team. Thank you.

Need help? We're always here for you.

× Close