Is a reboot required for SSL V3 disable on Windows? - Poodle exploit
Solution 1:
Yes... probably... if you're talking about applications that call into schannel.dll.
You mentioned "Servers" and you mentioned "SSlv3" which is a protocol. Changes to this registry key requires a reboot.
Read this Microsoft article: https://support.microsoft.com/en-us/kb/245030
That's basically the bible of this topic.
Notice that the article says "Changes to the CIPHERS key or the HASHES key take effect immediately, without a system restart."
However, you are changing the PROTOCOLS key. So, restart.
EDIT: Oh, I forgot to mention the most important part -- changes to this registry key, they only affect applications that call into the Schannel DLL. (Such as IIS, RDP, SQL Server, etc.) They have NO EFFECT on applications that use a third party library such as OpenSSL. In those apps, it is impossible for us to know whether it will require a reboot or not because it depends on the app.
Solution 2:
You can restart the HTTP service using net stop http
and net start http
. It will obvious only affect applications using it (like IIS).
You will also need to restart any services depending on HTTP service and close any other process using \Device\Http\*
(otherwise the service won't stop).
Here's a PowerShell script to do all this. (It uses handle.exe from https://live.sysinternals.com/ and doesn't consider multiple levels of dependent services.)
$depencies = Get-Service HTTP -DependentServices |? Status -eq Running
Stop-Service $depencies
.\handle.exe -nobanner -a \Device\Http\ |? { $_ -match '\s+pid:\s*(?<pid>\d+)\s+' } |% { $matches.pid } | gu |% { Stop-Process -Id $_ -Confirm }
Restart-Service HTTP
Start-Service $depencies
(I tested this only on Windows 7.)