As part of hardening of servers, which publish services and in times of Poodle, you might want to disable SSL (if not already done). You can test your client here and your server/service endpoint here.
Most likely you already disabled SSL on your server, but if not:
Can you do it right away?
Of course you can do it right away. Is there a caveat? It depends….
It depends whether a client depends on SSL or not.
Lately I was involded in an issue, where users complained about not beeing able to connect to Exchange anymore. They were using Outlook for Mac in the latest version. Some reported they cannot connect when switching networks while others were able. So it was really confusing. After some troubleshooting we at least could isolate the issue to users, which switched from corporate Lan to external. But still some had no issues. After some time we narrowed it down that those users, who had disabled Autodiscover function within Outlook for Mac, which could be done as described here, had no issues.
Further more we finally found the reason:
The client, which came from corporate Lan, tried to connect to Autodiscover in order to retrieve the latest settings as he couldn’t connect to the internal endpoint for Exchange. This is a normal behavior and by design and more info could be found here. But the couldn’t retrieve any data from Autodiscover. The ones with the disabled Autodiscover function had the external endpoint configured and therefore it was no problem for them (split DNS). But why couldn’t the clients retrieve any data from Autodiscover?
To understand this you need to know that Autodiscover had a different IP than the EWS endpoint. And also different settings applied:
- Renego was disabled
We confirmed this in some network traces. Here a bad trace of a client outside corporate Lan
We can see only SSLv2 request, which were not answered. Now a good trace inside corporate Lan
Here we can see that there was a change in the cipher from SSLv2 to TLSv1. Now I need only confirmation and I found the following KB:
The connection failure occurs because Outlook for Mac uses SSL to establish communication with an Exchange server. When SSL is disabled and secure renegotiation is implemented as defined in RFC 5746
, Outlook requires the server to be in Compatible mode so that the session can be renegotiated from SSL to Transport Layer Security (TLS).
Okay…..I’m astonished about the facts. Of course we allowed Renego and solved the issue.
Outlook for Mac was so far the only client we found who relies on SSLv2. This also applies to the latest version Outlook for Mac for Office 365
Always check capabilities of your clients!