Messaging Gateway (SMG) patch 10.7.5-291 addresses an issue with the SMG Control Center accepting TLS1 connections when configured to only accept TLS1.1 or higher. Prior to patch 10.7.5-291, the Control Center ran with the default minimum TLS protocol level regardless of the TLS protocol level reported by the `cc-config status` command:
cc-config --status
Control center log level is WARN.
Compliance log retention is 30 days.
Port 443 is enabled.
Port 41080 is disabled.
Status of clientAuth is enabled.
set_tls_min_level is tls12
Testing the Control Center port shows lower TLS versions accepted before and after applying patch 10.7.5-291
openssl s_client -connect smg.example.com:443 -tls1
CONNECTED(00000003)
...
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Release : 10.7.5
Component :
The Control Center web application is running based on the default configuration file even after patch 10.7.5-291 is applied.
This can be addressed by running the cc-config command to reset the minimum TLS level after applying patch 10.7.5-291
patch -p 10.7.5-291 install
cc-config set-min-tls-level --tls12
Example
smg-cc [10.7.5-4]> show --version
Version: Install Date:
10.7.5-4 Wed 29 Dec 2021 10:41:01 PM PST
SMG patch installation history:
patch-10.7.5-290 2021-12-29 23:09
patch-10.7.5-291 2022-02-28 14:31
smg-cc[10.7.5-4]> cc-config set-min-tls-level --tls12
Stopping controlcenter (via systemctl): [ OK ]
Starting controlcenter (via systemctl): [ OK ]