How to force TLS 1.3 version on Enforce UI pages
search cancel

How to force TLS 1.3 version on Enforce UI pages

book

Article ID: 439396

calendar_today

Updated On:

Products

Data Loss Prevention Core Package

Issue/Introduction

Vulnerabilty scanners will report on lower versions of TLS for example (TLS1.2 or below)

Environment

DLP 16.1 and above. 

Cause

lower versions of TLS can cause vulnerability scanners to trigger on TLS 1.2 or below when in use 

Resolution

Force TLS 1.3 in Enforce UI 

 

To remediate the TLS vulnerability on your Data Loss Prevention (DLP) 25.1 Enforce server, you must update the server.xml file to explicitly enforce the desired TLS protocols.

In DLP versions 16.1 and later (including 25.1), the Enforce server uses Tomcat 9, which handles SSL configuration within the SSLHostConfig element.

 

Remediation Steps

  1. Locate the File: Navigate to the server.xml file on the Enforce Server. In version 25.1, the path is: %Program Files%\Symantec\DataLossPrevention\EnforceServer\25.1.00000\Protect\tomcat\conf\server.xml

  2. Edit the Connector: Open server.xml in a text editor and locate the <Connector> section for the SSL port (typically 8443 or 443).

  3. Update Protocols: Modify the protocols attribute within the SSLHostConfig section.

    • To enforce only TLS 1.3 , set the value to: protocols="TLSv1.3"

    • Alternatively, to strictly allow only TLS 1.3, use: protocols="TLSv1.3" Disable all other TLS/SSL protocols

  4. Save and Restart: Save the file and restart the Symantec DLP Manager Service for the changes to take effect

 
 

 

 

Additional Information

Below is a sample config with the protocols in server.xml
 
 
After restarting the manager, in your browser you can hit F12 to open developer mode and go to the sercurity tab and see TLS 1.3 is in use.
 
 
Powered by Wolken Software