How to disable SSLv3, TLSv1.1, and TLSv1.0 on Data Loss Prevention (DLP) components
Need to disable SSLv3, TLSv1.1, and TLSv1.0.
Current releases of Data Loss Prevention (DLP) use TLS v1.2 for network communication. In DLP v14.0 and above will support the following protocols.
For backwards compatibility reasons and the ability to connect to older software and hardware most security scans may produce a red flag this communication. To disable older TLS and SSL protocols use the following settings below.
NOTE: SSL v3 was officially deprecated via RFC 7568 in June 2015. Requirement 2.2.3 of PCI-DSS v3.1 sets Jun 30, 2016 for vendors to kill SSLv3 TLSv1.0 and TLSv1.1 (early TLS in PCI-speak).
$DLPDIR is the DLP installation directory
|Tunnel||File/parameter||Old value||New value||Notes|
|Browser <--> Enforce server||
|sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"||sslEnabledProtocols="TLSv1.2"||Recycle Vontu Manager service|
|Enforce <--> Detection server||
|SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA||SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA256||Ensure SSLautonegotiate is set to false in both files.
Recycle Vontu Monitor and Vontu Monitor Controller services
|Detection/Endpoint server <--> Endpoint agent||"EndpointCommunications.SSLCipherSuites" in Enforce Management Console (System > Servers > Overview > Server Settings)||TLS_RSA_WITH_AES_128_CBC_SHA||TLS_RSA_WITH_AES_128_CBC_SHA256||Recycle Vontu Monitor service (Endpoint server)|