One of our customers rang me up and complained about SSL Certificate that was renewed for their exchange server. The SSL Certificate was renewed on the server and there were no issues. However, the user machine with Google Chrome specifically warning about the SSL. The warning was regarding an insecure connection.
SSL Certificates are a very important cog in Data Security and resolving this issue is our highest priority. Getting such an error message on the browser while accessing emails via OWA is a security threat. I immediately started working on the problem keeping in mind with the current infrastructure:
- Operating System: Windows Server 2008 R2
- Exchange Server: Exchange Server 2010
We are fully aware that the infrastructure above is obsolete, and an immediate upgrade is recommended. In any case, a problem is a problem that needs to be resolved.
Finding the problem was pretty easy since it was glaring us right in the face. First I needed to go back to basics and assess the certificate that was renewed. I checked and verified that the SSL Certificate was using the latest encryption algorithm and that it was active.
So the next question to ask is whether the website is using the right set of protocols, and if they are configured correctly on the server hosting the services? Finding the vulnerabilities on a website can be a difficult task if you don’t know what you need to do. However, in our scenario, we used SSL Server Test and it gave us a lot more information about our current issues.
Once you run the utility, you notice that SSL v2 and SSL v3 are highlighted in Red and should be addressed on the server. These protocols are considered vulnerable and obsolete.
There is a popular tool available called IISCrypto 3.2 that allows one to assess the SSL Configurations on the server. Once you run this tool, the findings are surprising. All the protocols are allowed to run with the default settings. Since the SSL v2 and SSL v3 are vulnerable and obsolete, they need to be disabled.
Simply put, the server is vulnerable and needs to be fixed ASAP.
There are normally many ways to fix this, but the simplest and most effective of all is to run the tool from above. While the IISCrypto 3.2 tool is open, click on the “Best Practices” to enable and disable the recommended security protocols on the server. Next, check the “Reboot Server” and click Apply. The server shall reboot from there. You should do this to all the servers in your environment, or atleast the public facing servers.
Once your server has restarted successfully, you can try and run the same URL from any browser and you should not get the warning any more.
