You need to disable SSLv3, TLSv1.0, and TLSv1.1 on Data Loss Prevention (DLP) components.
Current releases of Data Loss Prevention (DLP) use TLS v1.2 for network communication. DLP 14.0 and above will support the following protocols.
This was for backwards compatibility reasons and the ability to connect to older software and hardware, but most security scans produce a red flag for these protocols. To disable older TLS and SSL protocols use the following settings below.
NOTE: SSL v3 was officially deprecated via RFC 7568 in June 2015. Requirement 2.2.3 of PCI-DSS v3.1 sets Jun 30, 2016 for vendors to kill SSLv3, TLSv1.0, and TLSv1.1.
There are three different tunnels listed below. Making the these changes will disable / remove SSLv3, TLS 1.0 and TLS 1.1 accordingly. Each can be adjusted independent of the other. The first two (Browser <--> Enforce server and Enforce <--> Detection server) require changes to config files and the last one (Endpoint Server <--> Endpoint Agent) is configured in the console under System > Servers > Overview > Server Settings for each server.
<INST_DIR> is the DLP installation directory, e.g.,
<version> is the corresponding version of DLP - 15.7, 15.8, etc.
|Tunnel||File/parameter||Old value||New value||Notes|
|Browser <--> Enforce server||
[this was default in DLP v15.1 and earlier*]
[this is the new default as of DLP v15.7]
|Recycle Symantec DLP Manager Service|
|Enforce <--> Detection server||
|SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA||SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA256||Ensure SSLautonegotiate is set to false in both files.
Recycle Symantec DLP Detection Server Service and Symantec DLP Detection Server Controller Service
|Endpoint Server <--> Endpoint Agent||"EndpointCommunications.SSLCipherSuites" in Enforce Server console:
System > Servers > Overview > Server Settings
Recycle Symantec DLP Detection Server Service (Endpoint Server)
*In versions of DLP prior to 15.5, the default "Old value" for the Tomcat server.xml file was sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2". This was the default parameter in Tomcat v8 and prior.
DLP v15.1 is End of Service, but to delimit older TLS protocols in that release, use the correct parameter but remove the outdated protocols and list only the proffered protocol, e.g., sslEnabledProtocols="TLSv1.2".
DLP v15.5 -15.8 use Tomcat v9, which updated its default SSL settings. See the Apache Tomcat 9 Configuration Reference, in the "protocols" entry, under "SSL Support - SSLHostConfig".
See this Oracle page for supported cipher suites: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html