Is a reboot required for SSL V3 disable on Windows? - Poodle exploit

Solution 1:

Yes... probably... if you're talking about applications that call into schannel.dll.

You mentioned "Servers" and you mentioned "SSlv3" which is a protocol. Changes to this registry key requires a reboot.

Read this Microsoft article: https://support.microsoft.com/en-us/kb/245030

That's basically the bible of this topic.

Notice that the article says "Changes to the CIPHERS key or the HASHES key take effect immediately, without a system restart."

However, you are changing the PROTOCOLS key. So, restart.

EDIT: Oh, I forgot to mention the most important part -- changes to this registry key, they only affect applications that call into the Schannel DLL. (Such as IIS, RDP, SQL Server, etc.) They have NO EFFECT on applications that use a third party library such as OpenSSL. In those apps, it is impossible for us to know whether it will require a reboot or not because it depends on the app.

Solution 2:

You can restart the HTTP service using net stop http and net start http. It will obvious only affect applications using it (like IIS).

You will also need to restart any services depending on HTTP service and close any other process using \Device\Http\* (otherwise the service won't stop).

Here's a PowerShell script to do all this. (It uses handle.exe from https://live.sysinternals.com/ and doesn't consider multiple levels of dependent services.)

$depencies = Get-Service HTTP -DependentServices |? Status -eq Running
Stop-Service $depencies
.\handle.exe -nobanner -a \Device\Http\ |? { $_ -match '\s+pid:\s*(?<pid>\d+)\s+' } |% { $matches.pid } | gu |% { Stop-Process -Id $_ -Confirm }
Restart-Service HTTP
Start-Service $depencies

(I tested this only on Windows 7.)