search cancel

Disable SSL v3, TLS 1.0, and TLS 1.1 on Data Loss Prevention components

book

Article ID: 162212

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Prevent for Email Data Loss Prevention Core Package Data Loss Prevention

Issue/Introduction

You need to disable SSLv3, TLSv1.0, and TLSv1.1 on Data Loss Prevention (DLP) components.

Cause

Current releases of Data Loss Prevention (DLP) use TLS v1.2 for network communication. DLP 14.0 and above will support the following protocols.

  • TLS v1.1
  • TLS v1.0
  • SSL v3

This was for backwards compatibility reasons and the ability to connect to older software and hardware, but most security scans produce a red flag for these protocols. To disable older TLS and SSL protocols use the following settings below.

NOTE: SSL v3 was officially deprecated via RFC 7568 in June 2015. Requirement 2.2.3 of PCI-DSS v3.1 sets Jun 30, 2016 for vendors to kill SSLv3, TLSv1.0, and TLSv1.1. 

Resolution

There are three different tunnels listed below. Making the these changes will disable / remove SSLv3, TLS 1.0 and TLS 1.1 accordingly. Each can be adjusted independent of the other. The first two (Browser <--> Enforce server and Enforce <--> Detection server) require changes to config files and the last one (Endpoint Server <--> Endpoint Agent) is configured in the console under System > Servers > Overview > Server Settings for each server. 

Configuration change

<INST_DIR> is the DLP installation directory, e.g.,

  • On Windows: C:\Program Files\Symantec\DataLossPrevention\
  • On Linux: /opt/Symantec/DataLossPrevention

<version> is the corresponding version of DLP - 15.7, 15.8, etc.

Tunnel File/parameter Old value New value Notes
Browser <--> Enforce server

Enforce:

<INST_DIR>\EnforceServer\<version>\Protect\tomcat\conf\server.xml

sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

[this was default in DLP v15.1 and earlier*]

protocols="TLSv1.2"

[this is the new default as of DLP v15.7]

Recycle Symantec DLP Manager Service
Enforce <--> Detection server

Enforce:

<INST_DIR>\EnforceServer\<version>\Protect\config\MonitorController.properties

and

Detection:

<INST_DIR>\DetectionServer\<version>\Protect\config\Communication.properties

SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA256 Ensure SSLautonegotiate is set to false in both files.

Recycle Symantec DLP Detection Server Service and Symantec DLP Detection Server Controller Service
Endpoint Server <--> Endpoint Agent "EndpointCommunications.SSLCipherSuites" in Enforce Server console:

System > Servers > Overview > Server Settings
TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256

Recycle Symantec DLP Detection Server Service (Endpoint Server)

 

After making these changes we recommend disabling TLS 1.0 and 1.1 as per this article on each of the detection and enforce servers. 

*In versions of DLP prior to 15.5, the default "Old value" for the Tomcat server.xml file was sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2". This was the default parameter in Tomcat v8 and prior.

DLP v15.1 is End of Service, but to delimit older TLS protocols in that release, use the correct parameter but remove the outdated protocols and list only the proffered protocol, e.g., sslEnabledProtocols="TLSv1.2".

DLP v15.5 -15.8 use Tomcat v9, which updated its default SSL settings. See the Apache Tomcat 9 Configuration Reference, in the "protocols" entry, under "SSL Support - SSLHostConfig".

Additional Information

See this Oracle page for supported cipher suites: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html