Disabling support for earlier versions of TLS for Messaging Gateway
search cancel

Disabling support for earlier versions of TLS for Messaging Gateway

book

Article ID: 161316

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

The Messaging Gateway mail service and the Control Center web application need to be configured to only allow the latest version of the Transport Layer Security (TLS) protocol.

Environment

Messaging Gateway later than 10.6.5

Cause

SSLv3/TLS 1.0/TLS 1.1 are no longer considered to be secure.

  • SSL 3.0 was deprecated in June 2015 by RFC7568
  • TLS 1.0 and 1.1 share the ability to downgrade, and most vendors are in the process of depreciating these standards (most likely during 2020).

The PCI DSS standard is TLS 1.2 as of 30 June 2018, which is the version recommended by Symantec. As of the writing of this article, TLS 1.3 is not supported by SMG, but is on the roadmap for inclusion in a future version. (No exact date or version).

Resolution

Restricting SMTP/TLS protocol version for the SMG email service

To restrict the TLS version used to secure SMTP email, the SSL Restrictions will need to be set in the SMG Control Center. This is a global setting and affects all SMG scanners managed by the Control Center GUI.

  1. Log into the Control Center as an administrator
  2. Go to Protocols > Settings > SMTP tab > SSL Restrictions section.
  3. Select the latest version that will be disabled (e.g. TLS 1.0 will disable SSLv3 and TLS 1.0, but TLS 1.1 will still be used).
  4. Click Save.

Restricting HTTPS/TLS protocol version for the Control Center

To restrict the TLS version allowed for HTTPS connections to the SMG Control Center web application, please

  1. Connect to the command line of the Control Center via SSH with the SMG's built-in admin account.
  2. Enter the following command with the version of TLS that will be used:
    • cc-config set-min-tls-level [--tls10|--tls11|--tls12]

      Example: cc-config set-min-tls-level --tls11 will allow TLS 1.2 and 1.1 to be used

Note:

  • FIPS Mode will automatically disable SSLv3. 
  • For further information, please refer to the Administration Guide for SMG.
  • If you restrict to TLSv 1.1, then anyone trying to use an older protocol will not be able to complete the TLS handshake, which means the SMG would abort the connection before any SMTP transaction started.