Symantec/Broadcom Data Loss Prevention (DLP) Optical Character Recognition (OCR) Server uses TLSv1.2 for communication with OCR clients (DLP detection servers). However, you need to disable it from using TLS 1.0 and 1.1 completely.
This method applies only to DLP 15.8 or earlier. It will not work with DLP 16.0 or later.
To enable ONLY TLSv1.2 and disable previous TLS versions perform the following steps:
1. Open the drive_letter:\SymantecDLPOCR\Protect\config\OCR.properties file on the OCR server with a text editor.
2. Add the following property to the file.
server.ssl.enabled-protocols=TLSv1.2
3. Save and close the file.
4. Restart the OCR Windows service which is called "Symantec DLP OCR Server".
5. Repeat these steps for any other OCR servers where you need to disable TLS 1.0 and 1.1.
A second method to disable TLS 1.0 and 1.1 on the OCR server would include the following steps:
1. Open the drive_letter:\SymantecDLPOCR\jre\lib\security\java.security file on the OCR server with a text editor.
2. Locate the property called jdk.tls.disabledAlgorithms.
3. Add TLSv1 and TLSv1.1 to the list of disabled algorithms so the property looks something like the following:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL, TLSv1, TLSv1.1
4. Save and close the file.
5. Restart the OCR Windows service which is called "Symantec DLP OCR Server".
6. Repeat these steps for any other OCR servers where you need to disable TLS 1.0 and 1.1.