Force TLS 1.2 and disable TLS 1.0, 1.1 on port 25 for email detection/prevent servers

book

Article ID: 206991

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email Data Loss Prevention Data Loss Prevention Network Email Data Loss Prevention Network Monitor and Prevent for Email

Issue/Introduction

DisableTLS 1.0 and 1.1 and only use TLS 1.2 on DLP email prevent/detection servers.

Cause

Deprecation of TLS 1.0 and 1.1

Environment

Release: DLP 15.7 MP1

Component: Email prevent

Resolution

In the java.security file, add TLSv1, TLSv1.1 to the "jdk.tls.disabledAlgorithms" line.

Then Recycle services after editing the file.

 

Default location of the java.security file is:

Windows: c:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\lib\security\java.security

Linux: /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/lib/security/java.security

Example:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC, TLSv1, TLSv1.1

Additional Information

After recycling services, test that the connection no longer uses TLSv1 or TLSv1.1.

Use the openssl command as shown here:

  • openssl.exe s_client -connect [servername]:[port] -starttls smtp -tls1
    • openssl.exe s_client -connect WXYZ.CORP.ORG:25 -starttls smtp -tls1
    • openssl.exe s_client -connect WXYZ.CORP.ORG:25 -starttls smtp -tls1_1