7

We are trying to disable SSL V3 on numerous windows servers; as a part of it , registries are being updated remotely via script. Problem is lots of reboots are required post registry change. Is there a way around it , can service be restarted on the server to not accept SSL V3 anymore post registry change?

Edit: Little more clarification, this is about "SSL V3 server" disable; on windows 2012 R2 Servers.

Darktux
  • 827
  • 5
  • 20
  • 36
  • SSL V3 is used on servers and clients alike - can you provide enough detail of exactly which SSL V3 you are disabling and how, to get better advice? – David Nilson May 20 '15 at 21:40
  • Lots of reboots? AFAIK one reboot is enough after the registry change. – Daniel May 20 '15 at 22:50
  • @Daniel lots of servers equals to lots of reboots, one per each; sorry for the confusion. – Darktux May 21 '15 at 04:45

2 Answers2

14

Yes... probably... if you're talking about applications that call into schannel.dll.

You mentioned "Servers" and you mentioned "SSlv3" which is a protocol. Changes to this registry key requires a reboot.

Read this Microsoft article: https://support.microsoft.com/en-us/kb/245030

That's basically the bible of this topic.

Notice that the article says "Changes to the CIPHERS key or the HASHES key take effect immediately, without a system restart."

However, you are changing the PROTOCOLS key. So, restart.

EDIT: Oh, I forgot to mention the most important part -- changes to this registry key, they only affect applications that call into the Schannel DLL. (Such as IIS, RDP, SQL Server, etc.) They have NO EFFECT on applications that use a third party library such as OpenSSL. In those apps, it is impossible for us to know whether it will require a reboot or not because it depends on the app.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
2

You can restart the HTTP service using net stop http and net start http. It will obvious only affect applications using it (like IIS).

You will also need to restart any services depending on HTTP service and close any other process using \Device\Http\* (otherwise the service won't stop).

Here's a PowerShell script to do all this. (It uses handle.exe from https://live.sysinternals.com/ and doesn't consider multiple levels of dependent services.)

$depencies = Get-Service HTTP -DependentServices |? Status -eq Running
Stop-Service $depencies
.\handle.exe -nobanner -a \Device\Http\ |? { $_ -match '\s+pid:\s*(?<pid>\d+)\s+' } |% { $matches.pid } | gu |% { Stop-Process -Id $_ -Confirm }
Restart-Service HTTP
Start-Service $depencies

(I tested this only on Windows 7.)