ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Receiving cipher errors when logging in to the Enforce console

book

Article ID: 162210

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Cipher errors logging into console. Various errors, for example (from firefox):
 
An error occurred during a connection to x.x.x.x:8300. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

Cause

Due to various exploits in cipher suites that have been identified recently many Operating Systems and Web browsers are removing weak ciphers. Our default cipher suite for tomcat is primarily composed of the older set, and so needs to be updated in order to connect to a fully patched browser.

Resolution

Log into the enforce server and navigate to <DLP install>\protect\tomcat\conf on Windows or /opt/SymantecDLP/Protect/tomcat/conf on Linux then open the server.xml file in a text editor. Find the “ciphers=” setting under the connector section and change the list (the part in quotes) to this:
 
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
 
Once that cipher string has been saved restart the VontuManager service or restarts server. After the Vontu services are restarted the user should now be able to connect to the Enforce UI without errors.