SharePoint 2013 Disabling SSlv3.0 and TLS 1.0

Question

I am in need of confirming if SharePoint 2013 supports disabling SSL 3.0 and TLS 1.0.

From what I can gather thus far is that SSL 3.0 can be disabled without issue, however SharePoint 2013 currently requires TLS 1.0 to be enabled. I have not been able to find a Microsoft KB article indicating that TLS 1.0 is required to be enabled for SP2013, only a post at the link below.

http://thesharepointfarm.com/2015/08/sharepoint-support-for-disabling-ssl-3-0-and-tls-1-0/

Is anyone aware of a Microsoft KB article, blog or tech article indicating that TLS 1.0 is required to be enabled for SP 2013?

Thank you.

---

JCashon

Answer 1

Hi JCashon,

Can you explain your requirement? The known issue is that SSL 3.0 is vulnerable to a POODLE attack and TLS 1.0 will down grade to SSL 3.0 if SSL 3.0 is enabled. The fix is just to disable SSL 3.0 as TLS 1.0 will not downgrade in that case.

https://technet.microsoft.com/en-us/library/security/3009008.aspx?f=255&MSPPError=-2147217396

Sincerely,

IoTGirl

Answer 2

SharePoint requires TLS v1.0 (it will also use SSL 3, but it can be disabled). This is due to the .NET Framework. An update was later released for the v4.5 Framework, but that requires an application to be recompiled to support TLS v1.1/1.2.

So, in short, you must leave TLS v1.0 enabled for SharePoint 2013.

---

Trevor Seward

        

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Answer 3

Hi JCashon,

I agree with Trevor.

If his reply is helpful, you can make it as answer.

Best regards,

Victoria

---

TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

Answer 4

Microsoft has provided an unofficial guide, with official documentation expected to be released soon, to support TLS 1.2 only.

https://blogs.msdn.microsoft.com/rodneyviana/2016/06/28/the-unofficial-guide-for-sharepoint-2013-and-2010-working-with-tls-1-2-only/

TLS 1.0 can be disabled in SharePoint 2010 and SharePoint 2013 using this guidance.  Note, however, there is an issue using Windows Explorer from Windows 7 computers and Windows 2008 servers.  Windows Explorer prior to Windows 10 lacks TLS 1.2 support.

Brian

Answer 5

Wish I'd checked for this first.

Disabled TLS1.0 and it seemed to work, until a week later people started reporting search was out of date. At first I didn't make the connection.

I was about to raise a call and thought, "hang on, let's put 1.0 back on" and bingo, it started working.

What a noob, I've been in IT for years - I should have checked...

---

Mark

Answer 6

This thread is fairly old, you can now disable TLS 1.0 and TLS 1.1. Follow this guide: https://technet.microsoft.com/en-us/library/mt773991.aspx

---

Trevor Seward

Office Servers and Services MVP

Author, Deploying SharePoint 2016

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Answer 7

Hi Trevor,

I know this is an old thread but hopefully you see this.

I followed the article linked above but as soon as I disable TLS 1.0 I get a lot of errors for Schannel that say "A fatal error occurred while creating an SSL client credential. The internal error state is 10013."

It is the same error described here: https://social.technet.microsoft.com/Forums/ie/en-US/aaced205-b0ec-4874-b440-8075dd74d8df/a-fatal-error-occurred-while-creating-an-ssl-client-credential-the-internal-error-state-is-10013?forum=exchangesvradmin

When I follow the suggested steps to enforce FIPS algorithms, InfoPath forms (such as in approval workflow) no longer work.

Do you have any suggestions for disabling TLS 1.0 without the flood of errors for schannel.

Thanks,

Lance

Answer 8

FIPS is not supported on SharePoint servers. I would look at the CAPI2 event logs to help determine the certificate issue. You may also want to start a new thread.

---

Trevor Seward

Office Servers and Services MVP

Author, Deploying SharePoint 2016

This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Answer 9

Hello everyone:

I know Trevor has included a link for disabling TLS 1.0/1.1 but I need to confirm a couple of things as organizations are disabling SSL3.0, TLS 1.0/1.1 in their environments.  Can someone confirm the following please even though it maybe redundant:

1.  Can SP 2010 use TLS 1.2 and TLS 1.0/1.1 be disabled?  Is there an official guild for this?

2.  Can SP 2013/2016 use TLS 1.2 and TLS 1.0/1.1 be disabled?  Is there an official guide for this?

Many thanks!

---

Rumi

Answer 10

Trevor's link is still correct:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-and-ssl-support-in-sharepoint-2013

I followed that article and it is working for me. I thought it wasn't working but the issue wasn't with SharePoint. I found an old windows service from a vendor that was causing my errors. When I disabled it, my errors went away.

We left TLS 1.1 enabled. TLS 1.0 is off. All is good so far.

Answer 11

Thanks you.  But what about TLS 1.2?

1.  Can SP 2010 use TLS 1.2 and TLS 1.0/1.1 be disabled?  Is there an official guild for this?

2.  Can SP 2013/2016 use TLS 1.2 and TLS 1.0/1.1 be disabled?  Is there an official guide for this?

---

Rumi

Answer 12

It is the client that you need to test. TLS 1.2 is supported by all current browsers. I believe some older versions of IE don't support 1.2. Some clients, if they use an older version of .NET, they don't use TLS 1.2 by default. For example, the old windows service I just mentioned.

I am using SP 2013. Can't speak for other versions.

We implemented the changes in our test environment and tested everything thoroughly. That is the best you can do because every environment is different.

Have you actually read the article Trevor provided? The 2016 version is here:

https://docs.microsoft.com/en-us/SharePoint/security-for-sharepoint-server/enable-tls-1-1-and-tls-1-2-support-in-sharepoint-server-2016#schannel

Read that in detail and you should be fine. Here is a quote from that page about disabling older protocols:

Microsoft recommends disabling SSL 2.0 and SSL 3.0 due to serious security vulnerabilities in those protocol versions. > Customers may also choose to disable TLS 1.0 and TLS 1.1 to ensure that only the newest protocol version is used. However, this may cause compatibility issues with software that doesn't support the newest TLS protocol version. Customers should test such a change before performing it in production.