A security bug affecting SSL 3.0 was released on October 14, 2014.

The DCS 6.0.x and CSP 5.2.9 Manager utilize a version of SSL 3.0 that is susceptible to POODLE.  Customers should add the entry sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"  to <server install>\tomcat\conf\server.xml.  All future release will contain this change by default.

Recommend steps: 

1.            Stop CSP/DCS manager service

2.            Take backup of Server.xml file

3.            Edit the server.xml file to make the suggested changes using xml editors to ensure that double quotes (") with appropriate encoding will be used.

4.            Start CSP/DCS manager service

CSP Server 5.2.9 MP1 - MP5 (having Tomcat 7.x)

DCS:SA Server 6.0, 6.0 MP1 (having Tomcat 7.x)

The entry sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" needs to be added to the three SSL Connector configured in server.xml. 

These SSL Connectors are for the:

•    Tomcat Stand-Alone Agent Service

•    Tomcat Stand-Alone Console Service

•    Tomcat Stand-Alone Service

The following example shows this change:

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="200" minSpareThreads="50" enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"

acceptCount="25" scheme="https" secure="true" SSLEnabled="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

ciphers="%comma_separated_list_of_ciphers%"/>

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="40" minSpareThreads="10" enableLookups="false"

disableUploadTimeout="true" maxKeepAliveRequests="1"

acceptCount="10" scheme="https" secure="true" SSLEnabled="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

ciphers="%comma_separated_list_of_ciphers%"/>

CSP Server 5.2.8 – 5.2.8 MP4 and 5.2.9 (having tomcat 5.x):

The entry sslProtocols="TLSv1,TLSv1.1,TLSv1.2" needs to be added to the following SSL Connector configured in server.xml. 

•    Tomcat Stand-Alone Service

The entry sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2" needs to be added to the following SSL Connector configured in server.xml. 

•    Tomcat Stand-Alone Console Service

•    Tomcat Stand-Alone Agent Service

The following example shows this change:

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="200" minSpareThreads="50" maxSpareThreads="100"

enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"

acceptCount="25" debug="0" scheme="https" secure="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"

 ciphers="%comma_separated_list_of_ciphers%"/>

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="40" minSpareThreads="10" maxSpareThreads="25"

enableLookups="false" disableUploadTimeout="true" maxKeepAliveRequests="1"

acceptCount="10" debug="0" scheme="https" secure="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslProtocols="SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2"

ciphers="%comma_separated_list_of_ciphers%"/>

<Connector port="%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%"

maxThreads="55" minSpareThreads="5" maxSpareThreads="8"

enableLookups="false" acceptCount="10" maxKeepAliveRequests="1" debug="0"

connectionTimeout="20000" scheme="https" disableUploadTimeout="true" secure="true"

keystorePass="<KeyStorePassword>"

keystoreFile="<KeyStoreFilePath>"

clientAuth="false" sslProtocol="TLS" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"

ciphers="%comma_separated_list_of_ciphers%"/>

 --

This issue has been addressed in SCSP 5.2.9 MP6

Symantec Critical System Protection 5.2 RU9 MP6 uses only the TLSv1x protocol to communicate among the server, agent, and console.

--