Force TLS 1.2 and disable TLS 1.0, 1.1 and 1.3 for DLP Detection/Prevent servers
search cancel

Force TLS 1.2 and disable TLS 1.0, 1.1 and 1.3 for DLP Detection/Prevent servers

book

Article ID: 206991

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email Data Loss Prevention Data Loss Prevention Network Email Data Loss Prevention Network Monitor and Prevent for Email

Issue/Introduction

Disable TLS 1.0, 1.1, 1.3 and only use TLS 1.2 on DLP detection servers.

Environment

Release: DLP 15.8, 16.0.0, 16.0.1 (RU1), 16.0.2 (RU2)

Cause

Deprecation of TLS 1.0 and 1.1.

TLS 1.3 is not yet supported.

Resolution

In the java.security file, add TLSv1, TLSv1.1 and TLSv1.3 to the "jdk.tls.disabledAlgorithms" line.

Then recycle services after editing the file.

 

Default location of the java.security file is:

Windows:

  • 15.8.x: C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre\lib\security\java.security
  • 16.0.x: C:\Program Files\AdoptOpenJRE\jdk8u352-b08-jre\lib\security\java.security

Linux:

  • 15.8.x: /opt/AdoptOpenJRE/jdk8u262-b10-jre/lib/security/java.security
  • 16.0.x: /opt/AdoptOpenJRE/jdk8u352-b08-jre/lib/security/java.security

Example:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC, TLSv1, TLSv1.1, TLSv1.3

 

After recycling services, test and verify the connection no longer uses TLSv1 or TLSv1.1 or TLSv1.3

Use the openssl command as shown here:

  • openssl.exe s_client -connect [servername]:[port] -starttls smtp -tls1
    • openssl.exe s_client -connect EXAMPLE.CORP.ORG:25 -starttls smtp -tls1
    • openssl.exe s_client -connect EXAMPLE.CORP.ORG:25 -starttls smtp -tls1_1

Additional Information

Powered by Wolken Software