Question

VMNerd on Thu, 15 Oct 2015 20:15:54


I am in need of confirming if SharePoint 2013 supports disabling SSL 3.0 and TLS 1.0.

From what I can gather thus far is that SSL 3.0 can be disabled without issue, however SharePoint 2013 currently requires TLS 1.0 to be enabled. I have not been able to find a Microsoft KB article indicating that TLS 1.0 is required to be enabled for SP2013, only a post at the link below.

http://thesharepointfarm.com/2015/08/sharepoint-support-for-disabling-ssl-3-0-and-tls-1-0/

Is anyone aware of a Microsoft KB article, blog or tech article indicating that TLS 1.0 is required to be enabled for SP 2013?

Thank you.


JCashon

Replies

IoTGirl on Thu, 15 Oct 2015 20:24:24


Hi JCashon,

Can you explain your requirement? The known issue is that SSL 3.0 is vulnerable to a POODLE attack and TLS 1.0 will down grade to SSL 3.0 if SSL 3.0 is enabled. The fix is just to disable SSL 3.0 as TLS 1.0 will not downgrade in that case.

https://technet.microsoft.com/en-us/library/security/3009008.aspx?f=255&MSPPError=-2147217396

Sincerely,

IoTGirl

Trevor Seward on Thu, 15 Oct 2015 21:06:14


SharePoint requires TLS v1.0 (it will also use SSL 3, but it can be disabled). This is due to the .NET Framework. An update was later released for the v4.5 Framework, but that requires an application to be recompiled to support TLS v1.1/1.2.

So, in short, you must leave TLS v1.0 enabled for SharePoint 2013.

Victoria Xia on Thu, 22 Oct 2015 03:30:26


Hi JCashon,

I agree with Trevor.

If his reply is helpful, you can make it as answer.

Best regards,

Victoria

bnigl on Wed, 28 Sep 2016 18:30:47


Microsoft has provided an unofficial guide, with official documentation expected to be released soon, to support TLS 1.2 only.

https://blogs.msdn.microsoft.com/rodneyviana/2016/06/28/the-unofficial-guide-for-sharepoint-2013-and-2010-working-with-tls-1-2-only/

TLS 1.0 can be disabled in SharePoint 2010 and SharePoint 2013 using this guidance.  Note, however, there is an issue using Windows Explorer from Windows 7 computers and Windows 2008 servers.  Windows Explorer prior to Windows 10 lacks TLS 1.2 support.

Brian

techs uk on Fri, 01 Sep 2017 13:34:09


Wish I'd checked for this first.

Disabled TLS1.0 and it seemed to work, until a week later people started reporting search was out of date. At first I didn't make the connection.

I was about to raise a call and thought, "hang on, let's put 1.0 back on" and bingo, it started working.

What a noob, I've been in IT for years - I should have checked...

Trevor Seward on Fri, 01 Sep 2017 14:55:38


This thread is fairly old, you can now disable TLS 1.0 and TLS 1.1. Follow this guide: https://technet.microsoft.com/en-us/library/mt773991.aspx

Lance G on Fri, 12 Oct 2018 16:17:04


Hi Trevor,

I know this is an old thread but hopefully you see this.

I followed the article linked above but as soon as I disable TLS 1.0 I get a lot of errors for Schannel that say "A fatal error occurred while creating an SSL client credential. The internal error state is 10013."

It is the same error described here: https://social.technet.microsoft.com/Forums/ie/en-US/aaced205-b0ec-4874-b440-8075dd74d8df/a-fatal-error-occurred-while-creating-an-ssl-client-credential-the-internal-error-state-is-10013?forum=exchangesvradmin

When I follow the suggested steps to enforce FIPS algorithms, InfoPath forms (such as in approval workflow) no longer work.

Do you have any suggestions for disabling TLS 1.0 without the flood of errors for schannel.

Thanks,

Lance

Trevor Seward on Fri, 12 Oct 2018 18:14:54


FIPS is not supported on SharePoint servers. I would look at the CAPI2 event logs to help determine the certificate issue. You may also want to start a new thread.

Rumi's Point on Fri, 26 Oct 2018 14:12:31


Hello everyone:

I know Trevor has included a link for disabling TLS 1.0/1.1 but I need to confirm a couple of things as organizations are disabling SSL3.0, TLS 1.0/1.1 in their environments.  Can someone confirm the following please even though it maybe redundant:

1.  Can SP 2010 use TLS 1.2 and TLS 1.0/1.1 be disabled?  Is there an official guild for this?

2.  Can SP 2013/2016 use TLS 1.2 and TLS 1.0/1.1 be disabled?  Is there an official guide for this?

Many thanks!

Lance G on Fri, 26 Oct 2018 14:16:29


Trevor's link is still correct:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-and-ssl-support-in-sharepoint-2013

I followed that article and it is working for me. I thought it wasn't working but the issue wasn't with SharePoint. I found an old windows service from a vendor that was causing my errors. When I disabled it, my errors went away.

We left TLS 1.1 enabled. TLS 1.0 is off. All is good so far.

Rumi's Point on Fri, 26 Oct 2018 14:18:21


Thanks you.  But what about TLS 1.2?

1.  Can SP 2010 use TLS 1.2 and TLS 1.0/1.1 be disabled?  Is there an official guild for this?

2.  Can SP 2013/2016 use TLS 1.2 and TLS 1.0/1.1 be disabled?  Is there an official guide for this?

Lance G on Fri, 26 Oct 2018 14:28:51


It is the client that you need to test. TLS 1.2 is supported by all current browsers. I believe some older versions of IE don't support 1.2. Some clients, if they use an older version of .NET, they don't use TLS 1.2 by default. For example, the old windows service I just mentioned.

I am using SP 2013. Can't speak for other versions.

We implemented the changes in our test environment and tested everything thoroughly. That is the best you can do because every environment is different.

Have you actually read the article Trevor provided? The 2016 version is here:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2016#schannel

Read that in detail and you should be fine. Here is a quote from that page about disabling older protocols:

Microsoft recommends disabling SSL 2.0 and SSL 3.0 due to serious security vulnerabilities in those protocol versions. > Customers may also choose to disable TLS 1.0 and TLS 1.1 to ensure that only the newest protocol version is used. However, this may cause compatibility issues with software that doesn't support the newest TLS protocol version. Customers should test such a change before performing it in production.