Cipher errors occur while logging into the DLP Enforce console.
Various errors may occur, for example (from Firefox):
An error occurred during a connection to x.x.x.x:8300. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
Due to various exploits in cipher suites that have been identified recently many Operating Systems and Web browsers are removing weak ciphers. Our default cipher suite for Tomcat is primarily composed of the older set, and so needs to be updated in order to connect to a fully patched browser.
Log into the Enforce Server and navigate to the "server.xml" file for Tomcat. By default, it is in one of the following locations:
Windows
\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.20000\Protect\tomcat\conf
Linux
/opt/Symantec/DataLossPrevention/EnforceServer/16.0.20000/Protect/tomcat/conf
Open the server.xml file in a text editor. Find the “ciphers=” setting under the connector section and notice the default for this file (in DLP v16.0.2):
"TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA"
You can amend the list (the part in quotes) as befits your security requirements. For example, removing the above, and replacing with more recent ECDHE ciphers:
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
Once that cipher string has been saved, restart the SymantecDLPManager service or restart the server. After the SymantecDLP services are restarted, users should now be able to connect to the Enforce UI without errors.
In DLP 16.1 and later TLS1.3 is used, TLS 1.2 is only used if 1.3 cannot be negotiated. This may trigger a vulnerability scanner due to the availability of older ciphers should TLS 1.3 be unable to be negotiated.
The line for ciphers= has been removed from server.xml as of 16.1 It can be re-added to further enforce TLS 1.3, or otherwise preferred ciphers.