Disable SSL 3.0 in Windows Server and Linux
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
- Click Start, click Run, type
regedit, and then click OK.
- In Registry Editor, locate the following registry key:
Note: If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.
- On the Edit menu, click Add Value.
- In the Data Type list, click DWORD.
- In the Value Name box, type Enabled, and then click OK.
Note: If this value is present, double-click the value to edit its current value.
- In the Edit DWORD (32-bit) Value dialog box, type 0 .
- Click OK. Restart the computer.
Vulnerability in SSL 3.0 Could Allow Information Disclosure
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
The vulnerability, which is more formally known as CVE-2014-0160, allows an attacker to read up to 64 kilobytes of memory per attack on any connected client or server. Heartbleed got its name because it is a flaw in OpenSSL's implementation of the Heartbeat Extension for the TLS and DTLS protocols (RFC 6520).
The vulnerability, which is caused by poorly-written code, was discovered on the same day by Google and Codenomicon security researchers. The researchers quickly realized that an attacker could exploit the bug to exposeencrypted content, usernames, passwords, and private keys for X.509 certificates. Because OpenSSL is used by approximately 66% of all activewebsites on the Internet, many experts have called Heartbleed one of the worst security bugs in the history of the Internet.
Heartbleed vulnerabilities exist in all versions of OpenSSL released between March 2012 and April 2014, at which time the software defect was corrected and OpenSSL version 1.0.1g was released. To lessen the potential negative effects of Heartbleed, OpenSSL.org recommends that enterprises upgrade to the most recent version of OpenSSL and reissue X.509 certificates with new keys.
Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.
Microsoft is announcing that SSL 3.0 will be disabled in the default configuration of Internet Explorer and across Microsoft online services over the coming months. We recommend customers migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2.
- The attacker must make several hundred HTTPS requests before the attack could be successful.
- TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.