Force TLS 1.2 and disable TLS 1.0, 1.1 for detection/prevent servers
search cancel

Force TLS 1.2 and disable TLS 1.0, 1.1 for detection/prevent servers

book

Article ID: 206991

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email Data Loss Prevention Data Loss Prevention Network Email Data Loss Prevention Network Monitor and Prevent for Email

Issue/Introduction

DisableTLS 1.0 and 1.1 and only use TLS 1.2 on DLP detection servers.

Environment

Release: DLP 15.7  and 15.8 

 

Cause

Deprecation of TLS 1.0 and 1.1

Resolution

In the java.security file, add TLSv1, TLSv1.1 to the "jdk.tls.disabledAlgorithms" line.

Then Recycle services after editing the file.

 

Default location of the java.security file is:

Windows:

  • 15.7.x: C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\lib\security\java.security
  • 15.8.x: C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre\lib\security\java.security

Linux:

  • 15.7.x: /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/lib/security/java.security
  • 15.8.x: /opt/AdoptOpenJRE/jdk8u262-b10-jre/lib/security/java.security

Example:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC, TLSv1, TLSv1.1

Additional Information

After recycling services, test and verify the connection no longer uses TLSv1 or TLSv1.1.

Use the openssl command as shown here:

  • openssl.exe s_client -connect [servername]:[port] -starttls smtp -tls1
    • openssl.exe s_client -connect WXYZ.CORP.ORG:25 -starttls smtp -tls1
    • openssl.exe s_client -connect WXYZ.CORP.ORG:25 -starttls smtp -tls1_1
Powered by Wolken Software