Disabling TLS 1.0 with Endpoint Encryption
search cancel

Disabling TLS 1.0 with Endpoint Encryption

book

Article ID: 210625

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Endpoint Encryption 11.3.0 and above disables TLS 1.0 and TLS 1.1 by default.

Resolution

For Legacy clients, TLS 1.0 needs to be enabled for clients running releases prior to 11.1.0. SEE Clients running release 11.1.0 and above will therefore connect to the Endpoint Encryption Management Server (SEEMS) using TLS 1.2 automatically.  

Of note, prior to release 11.3.0, Endpoint Encryption Management Server (SEEMS) used SQLOLEDB, the Microsoft OLE DB Provider for SQL Server, to connect to the Endpoint Encryption SQL Server database. SQLOLEDB does not support TLS 1.2.  As a result, we highly recommend upgrading to the latest release of the SEE Management Server and SEE Clients.

 

In release 11.3.0 and above, SEEMS uses MSOLEDBSQL, the Microsoft OLE DB Driver for SQL Server to connect to the database. MSOLEDBSQL can use TLS 1.2.

If a TLS connection is being used to connect to the database, SEEMS releases prior to 11.3 cannot be configured to use only TLS 1.2.

If SEEMS is not using a TLS connection to connect to the database, the Windows Server hosting SEEMS can be updated to disable TLS 1.0 and 1.1 and enable TLS 1.2 for SEEMS releases 11.2 and 11.2.1.  

Note: Disabling TLS 1.0 on SEEMS release 11.1 and below will cause problems generating the client installation *.msi files so disabling TLS 1.0 is not recommended. 

To disable TLS 1.0 and TLS 1.1 the HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols registry key needs to be updated as described here.

 

To allow only TLS 1.2 to be used, upgrade the SEE Management Server and the SEE clients to the latest release of the software.  As of this writing, SEE version 12 is the latest version and supports only TLS 1.2.  Just be sure to check the option "Disable TLS 1.0 and TLS 1.1" in the SEEMS Configuration Manager to allow TLS 1.2.  A reboot of the Windows server will be required. 

For further insight, reach out to Symantec Encryption Support

Additional Information

EPG-22799