To disable 3DES for client communications and SEPM Reporting functions, please make the following changes:
1.) Create backups first, then edit the ssl.conf and sslForClients.conf files within the following path:
\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl
2.) Locate the following lines - the same lines will be found in both files:
3.) Make the following change, inserting a "bang" (!) before 3DES to disable that cipher - the same change will be made in both files:
4.) Save the changes made to each file.
5.) Reboot the SEPM server, or restart the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.
6.) Re-run any vulnerability scans as needed to confirm that vulnerabilities relating to 64-bit block cipher are now resolved. (By default tests would be run against ports 443 for secure client communications, and port 8445 for SEPM Reporting.) Note:
Disabling 3DES in sslForClients.conf will prevent Windows XP and 2003 systems from communicating, even if these clients have had TLS enabled per TECH231025
. If there are still managed XP and 2003 clients which need to maintain communication with the SEPM, it will be necessary to leave 3DES enabled in sslForClients.conf.
To disable 3DES for internal SEPM server communications and web services:
- Create a backup of the following files
- Edit .../tomcat/conf/server.xml
- Search for instances of "3DES" containd within strings that being with "SSLCipherSuite" (example below)
- SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:3DES:!RC4
- Add an exclamation point (!) before the "3DES" to disable that cipher (example below)
- SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4
- Save the file
- Repeat Step 2 for the file .../tomcat/instances/sepm-api/conf/server.xml
- Restart the following SEPM Services
- Symantec Endpoint Protection Manager
- Symantec Endpoint Protection Manager API Service
- Symantec Endpoint Protection Manager Webserver
Re-run any vulnerability scans as needed to confirm that vulnerabilities relating to 64-bit block cipher are now resolved.