Disable SSL v3, TLS 1.0, and TLS 1.1 on Data Loss Prevention components
Article ID: 162212
Updated On:
Products
Issue/Introduction
You need to disable SSLv3, TLSv1.0, and TLSv1.1 on Data Loss Prevention (DLP) components.
Cause
Current releases of Data Loss Prevention (DLP) use TLS v1.2 for network communication. DLP 14.0 and above will support the following protocols.
- TLS v1.1
- TLS v1.0
- SSL v3
This was for backwards compatibility reasons and the ability to connect to older software and hardware, but most security scans produce a red flag for these protocols. To disable older TLS and SSL protocols use the following settings below.
NOTE: SSL v3 was officially deprecated via RFC 7568 in June 2015. Requirement 2.2.3 of PCI-DSS v3.1 sets Jun 30, 2016 for vendors to kill SSLv3, TLSv1.0, and TLSv1.1.
Resolution
There are three different tunnels listed below. Making the these changes will disable / remove SSLv3, TLS 1.0 and TLS 1.1 accordingly. Each can be adjusted independent of the other. The first two (Browser <--> Enforce server and Enforce <--> Detection server) require changes to config files and the last one (Endpoint Server <--> Endpoint Agent) is configured in the console under System > Servers > Overview > Server Settings for each server.
Configuration change
<INST_DIR> is the DLP installation directory, e.g.,
- On Windows: C:\Program Files\Symantec\DataLossPrevention\
- On Linux: /opt/Symantec/DataLossPrevention
<version> is the corresponding version of DLP - 15.7, 15.8, 16.0 etc.
| Tunnel | File/parameter | Old value | New value | Notes |
| Browser <--> Enforce server |
Enforce: <INST_DIR>\EnforceServer\<version>\Protect\tomcat\conf\server.xml |
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" [this was default in DLP v15.1 and earlier*] |
protocols="TLSv1.2" [this is the new default as of DLP v15.7] |
Recycle Symantec DLP Manager Service |
| Enforce <--> Detection server |
Enforce: <INST_DIR>\EnforceServer\<version>\Protect\config\MonitorController.properties and Detection: <INST_DIR>\DetectionServer\<version>\Protect\config\Communication.properties |
SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA | SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA256 | Ensure SSLautonegotiate is set to false in both files. Recycle Symantec DLP Detection Server Service and Symantec DLP Detection Server Controller Service |
| Endpoint Server <--> Endpoint Agent | "EndpointCommunications.SSLCipherSuites" in Enforce Server console: System > Servers > Overview > Server Settings |
TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA256 |
Recycle Symantec DLP Detection Server Service (Endpoint Server)
|
| Enforce Server <--> Active Directory | Enforce: <Java_INST_DIR>\AdoptOpenJRE\jdk8u352-b08-jre\lib\security\java.security |
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves |
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \ include jdk.disabled.namedCurves |
Excluding everything but TLS 1.2 is currently set by default, so no change should currently be required. |
After making these changes we recommend disabling TLS 1.0 and 1.1 as per this article on each of the detection and enforce servers.
*In versions of DLP prior to 15.5, the default "Old value" for the Tomcat server.xml file was sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2". This was the default parameter in Tomcat v8 and prior.
DLP v15.1 is End of Service, but to delimit older TLS protocols in that release, use the correct parameter but remove the outdated protocols and list only the proffered protocol, e.g., sslEnabledProtocols="TLSv1.2".
DLP v15.5 - 16.0 use Tomcat v9, which updated its default SSL settings. See the Apache Tomcat 9 Configuration Reference, in the "protocols" entry, under "SSL Support - SSLHostConfig".
Additional Information
See this Oracle page for supported cipher suites: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
See Also: How to Set OCR TLS to 1.2
Feedback
