Disabling TLS 1.0 with Endpoint Encryption

book

Article ID: 210625

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Endpoint Encryption release 11.3 and above disables TLS 1.0 and TLS 1.1 by default.

However, it may still be possible to disable TLS 1.0 and TLS 1.1 in earlier releases.

Please note that as of 31 March 2021, all releases of Endpoint Encryption below 11.3 are End of Service (support).

Environment

Symantec Endpoint Encryption 11.2.0 and above.

Resolution

As documented in the Endpoint Encryption 11.3.1 Installation Guide, TLS 1.0 only needs to be enabled for clients running releases prior to 11.1. Clients running release 11.1 and above will therefore connect to the Endpoint Encryption Management Server (SEEMS) using TLS 1.2 automatically.

However, prior to release 11.3, Endpoint Encryption Management Server (SEEMS) used SQLOLEDB, the Microsoft OLE DB Provider for SQL Server, to connect to the Endpoint Encryption SQL Server database. SQLOLEDB does not support TLS 1.2.

In release 11.3 and above, SEEMS uses MSOLEDBSQL, the Microsoft OLE DB Driver for SQL Server to connect to the database. MSOLEDBSQL can use TLS 1.2.

Therefore, if a TLS connection is being used to connect to the database, SEEMS releases prior to 11.3 cannot be configured to use only TLS 1.2.

If SEEMS is not using a TLS connection to connect to the database, the Windows Server hosting SEEMS can be updated to disable TLS 1.0 and 1.1 and enable TLS 1.2 for SEEMS releases 11.2 and 11.2.1.

Note that disabling TLS 1.0 on SEEMS release 11.1 and below will cause problems generating the client installation *.msi files so disabling TLS 1.0 is not recommended. SEE 11.1.3 went end of service on 26 July 2020.

To disable TLS 1.0 and TLS 1.1 the HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols registry key needs to be updated as described here.

Additional Information

EPG-22799