Messaging Gateway (SMG) patch 10.7.5-291 addresses an issue with the SMG Control Center accepting TLS1 connections when configured to only accept TLS1.1 or higher. Prior to patch 10.7.5-291, the Control Center ran with the default minimum TLS protocol level regardless of the TLS protocol level reported by the `cc-config status` command:

cc-config --status
Control center log level is WARN.
Compliance log retention is 30 days.
Port 443 is enabled.
Port 41080 is disabled.
Status of clientAuth is enabled.
set_tls_min_level is tls12

Testing the Control Center port shows lower TLS versions accepted before and after applying patch 10.7.5-291

openssl s_client -connect smg.example.com:443 -tls1
CONNECTED(00000003)
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA

Release : 10.7.5

Component :

The Control Center web application is running based on the default configuration file even after patch 10.7.5-291 is applied.

This can be addressed by running the cc-config command to reset the minimum TLS level after applying patch 10.7.5-291

1. Log into the SMG Control Center command line interface as "admin"
2. Install patch 10.7.5-291 if it is not already installed

   patch -p 10.7.5-291 install

3. Reset the minimum TLS version for the SMG Control Center web application

   cc-config set-min-tls-level --tls12

Example

smg-cc [10.7.5-4]> show --version
Version:        Install Date:
10.7.5-4        Wed 29 Dec 2021 10:41:01 PM PST

SMG patch installation history:
     patch-10.7.5-290    2021-12-29 23:09
     patch-10.7.5-291    2022-02-28 14:31
smg-cc[10.7.5-4]> cc-config set-min-tls-level --tls12
Stopping controlcenter (via systemctl):                    [  OK  ]
Starting controlcenter (via systemctl):                    [  OK  ]