Disabling support for earlier versions of TLS for Messaging Gateway
searchcancel
Disabling support for earlier versions of TLS for Messaging Gateway
book
Article ID: 161316
calendar_today
Updated On:
Products
Messaging Gateway
Issue/Introduction
The Messaging Gateway mail service and the Control Center web application need to be configured to only allow the latest version of the Transport Layer Security (TLS) protocol.
Environment
Messaging Gateway later than 10.6.5
Cause
SSLv3/TLS 1.0/TLS 1.1 are no longer considered to be secure.
SSL 3.0 was deprecated in June 2015 by RFC7568
TLS 1.0 and 1.1 share the ability to downgrade, and most vendors are in the process of depreciating these standards (most likely during 2020).
The PCI DSS standard is TLS 1.2 as of 30 June 2018, which is the version recommended by Symantec. As of the writing of this article, TLS 1.3 is not supported by SMG, but is on the roadmap for inclusion in a future version. (No exact date or version).
Resolution
Restricting SMTP/TLS protocol version for the SMG email service
To restrict the TLS version used to secure SMTP email, the SSL Restrictions will need to be set in the SMG Control Center. This is a global setting and affects all SMG scanners managed by the Control Center GUI.
Log into the Control Center as an administrator
Go to Protocols > Settings > SMTP tab > SSL Restrictions section.
Select the latest version that will be disabled (e.g. TLS 1.0 will disable SSLv3 and TLS 1.0, but TLS 1.1 will still be used).
Click Save.
Restricting HTTPS/TLS protocol version for the Control Center
To restrict the TLS version allowed for HTTPS connections to the SMG Control Center web application, please
Connect to the command line of the Control Center via SSH with the SMG's built-in admin account.
Enter the following command with the version of TLS that will be used:
Example: cc-config set-min-tls-level --tls11 will allow TLS 1.2 and 1.1 to be used
Note:
FIPS Mode will automatically disable SSLv3.
For further information, please refer to the Administration Guide for SMG.
If you restrict to TLSv 1.1, then anyone trying to use an older protocol will not be able to complete the TLS handshake, which means the SMG would abort the connection before any SMTP transaction started.