ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Disabling support for earlier versions of TLS for Messaging Gateway

book

Article ID: 161316

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Messaging Gateway mail service and the Control Center web application need to be configured to only allow the latest version of the Transport Layer Security (TLS) protocol.

Cause

SSLv3/TLS 1.0/TLS 1.1 are no longer considered to be secure.

  • SSL 3.0 was deprecated in June 2015 by RFC7568
  • TLS 1.0 and 1.1 share the ability to downgrade, and most vendors are in the process of depreciating these standards (most likely during 2020).

The PCI DSS standard is TLS 1.2 as of 30 June 2018, which is the version recommended by Symantec. As of the writing of this article, TLS 1.3 is not supported by SMG, but is on the roadmap for inclusion in a future version.

Environment

Messaging Gateway later than 10.6.5

Resolution

Restricting SMTP/TLS protocol version for the SMG email service

To restrict the TLS version used to secure SMTP email, the SSL Restrictions will need to be set in the SMG Control Center. This is a global setting and affects all SMG scanners managed by the Control Center GUI.

  1. Log into the Control Center as an administrator
  2. Go to Protocols > SMTP> Settings > SSL Restrictions.
  3. Select the latest version that will be disabled (e.g. TLS 1.0 will disable SSLv3 and TLS 1.0, but TLS 1.1 will still be used).
  4. Click Save.

Restricting HTTPS/TLS protocol version for the Control Center

To restrict the TLS version allowed for HTTPS connections to the SMG Control Center web application, please

  1. Connect to the command line of the Control Center via SSH with the SMG's built-in admin account.
  2. Enter the following command with the version of TLS that will be used:
    • cc-config set-min-tls-level [--tls10|--tls11|--tls12]

      Example: cc-config set-min-tls-level --tls11 will allow TLS 1.2 and 1.1 to be used

Note:

  • FIPS Mode will automatically disable SSLv3. See FIPS mode best practices and considerations for more.
  • For further information, please refer to the Administration Guide for SMG.