How do I patch CVE-2014-3566 on a Windows Server 2012 system running IIS?
Is there a patch in Windows Update, or do I have to do a registry change to disable SSL 3.0?
iissslwindows
How do I patch CVE-2014-3566 on a Windows Server 2012 system running IIS?
Is there a patch in Windows Update, or do I have to do a registry change to disable SSL 3.0?
Best Answer
There is no "patch". It's a vulnerability in the protocol, not a bug in the implementation.
In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry set at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols
.To disable SSLv3, which the POODLE vulnerability is concerned with, create a subkey at the above location (if it's not already present) named
SSL 3.0
and, under that, a subkey namedServer
(if it's not already present). At this location (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server
) create a DWORD value namedEnabled
and leave it set at0
.Disabling SSL 2.0, which you should also be doing, is done the same way, except that you'll be using a key named
SSL 2.0
in the above registry path.I haven't tested all versions, but I think it's probably safe to assume that a reboot is necessary for this change to take effect.