How to disable SSLv3, TLSv1.1, and TLSv1.0 on Data Loss Prevention (DLP) components
Need to disable SSLv3, TLSv1.1, and TLSv1.0.
Current releases of Data Loss Prevention (DLP) use TLS v1.2 for network communication. In DLP v14.0 and above will support the following protocols.
For backwards compatibility reasons and the ability to connect to older software and hardware most security scans may produce a red flag this communication. To disable older TLS and SSL protocols use the following settings below.
NOTE: SSL v3 was officially deprecated via RFC 7568 in June 2015. Requirement 2.2.3 of PCI-DSS v3.1 sets Jun 30, 2016 for vendors to kill SSLv3 TLSv1.0 and TLSv1.1 (early TLS in PCI-speak).
$DLPDIR is the DLP installation directory
Browser <--> Enforce server
Recycle Vontu Manager service
Enforce <--> Detection server
SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA
SSLcipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA256
Ensure SSLautonegotiate is set to false in both files. Recycle Vontu Monitor and Vontu Monitor Controller services
Detection/Endpoint server <--> Endpoint agent
"EndpointCommunications.SSLCipherSuites" in Enforce Management Console (System > Servers > Overview > Server Settings)
Recycle Vontu Monitor service (Endpoint server)
Subscribing will provide email updates when this Article is updated. Login is required.