Original Message:
Sent: 4/2/2024 9:05:00 AM
From: levd
Subject: RE: Disabling old TLS protocols
I don't know how to get the update :)
Original Message:
Sent: Apr 02, 2024 08:54 AM
From: alexander-smg
Subject: Disabling old TLS protocols
Upgrade and retest. Make sure you have good backups.
Original Message:
Sent: 4/2/2024 8:52:00 AM
From: levd
Subject: RE: Disabling old TLS protocols
Thanks Alexander.
Art_P I think you might be right with misleading or incorrect information however in the past 15 years or so we have had great support on the community forums at Symantec / Broadcom. Most of the time contacting "technical" support did not had the desired effect, to say the least. And known community members could help out much more effective.
But anyway. 10.8.1-7 did not resolve the issue, and issues keeps coming back but i will take a look at your document. Also there is no new version available in web gui and not in cli (unable to access repo)
Original Message:
Sent: Apr 02, 2024 08:21 AM
From: alexander-smg
Subject: Disabling old TLS protocols
I concur
Original Message:
Sent: 4/2/2024 8:20:00 AM
From: Art_P
Subject: RE: Disabling old TLS protocols
TLS is used in more than one area of the Messaging Gateway and I didn't see clarification on exactly what you are having issues with. Some of the original information on this thread was for an issue specific to an older release. We haven't seen any issues in current releases, including 10.8.1. So, I recommend going through this document:
Securing Messaging Gateway Best Practices
If your issues persist, then open a support ticket. This is a general community board and not a place for technical support. There are non-Broadcom forum users that can post incorrect or misleading information here that can make corrective steps more difficult.
------------------------------
---------------------------------------------
Support Engineer
* Integrated Cyber Defense Exchange
* Messaging Gateway
* Packet Shaper
Symantec Enterprise Division
Broadcom Software
Original Message:
Sent: Apr 02, 2024 04:18 AM
From: levd
Subject: Disabling old TLS protocols
I wonder if there is any update on this? I still get the vulnerability once in a while from Qualys..
Im using the option "disable support for tls 1.1 and earlier versions" but still get QID 38863.
How do i get rid of this vulnerability? Im running symantec messaging gateway 10.8.1-7 is there any new version? Its not available from the web gui and also from the cli when running "patch list" command there is no new version but only a repo error.
Original Message:
Sent: Mar 25, 2022 05:43 AM
From: mols
Subject: Disabling old TLS protocols
Hardenize.com, Section Email and TLS:
Original Message:
Sent: Mar 24, 2022 05:34 PM
From: Thomas Anderson
Subject: Disabling old TLS protocols
PS: could you please post here what algorithm(s) your audit is complaining about? I'm really curious, since the values the product (at least at the 10.7.5 level) ship with are based on the IETF recommended kex algorithms from 2020 and I'm not aware of any of them being deprecated or downgraded.
Thanks!
Original Message:
Sent: Mar 24, 2022 02:43 PM
From: Thomas Anderson
Subject: Disabling old TLS protocols
I suspect the report regarding kex algorithms is probably due to it probing the ssh port/service and it's not related to TLS usage for HTTPS or SMTP/TLS (this is just my guess, so you should confirm by looking at your report). If my guess turns out to be correct I would suggest you take a look at the "sshd-config" command line tool. "sshd-config -v" will display all the current settings, for example:
qa-r610-01 [10.7.5-4]> sshd-config -v
Attribute 'protocol' is set to 'default'.
Attribute 'ciphers' is set to '3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndae l-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr'.
Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
Attribute 'kexalgorithms' is set to 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ec dh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,di ffie-hellman-group18-sha512,diffie-hellman-group14-sha256'.
You can modify the kexalgorithms by using the "-k" option and specifying a comma separated list of the algorithms you want to be in effect.
I STRONGLY recommend that you run the "-v" option first and save the output so that you can recover in case you accidentally "configure yourself out of the box"!
A sample session: suppose you decide you determine that your audit is complaining about diffie-hellman-group-exchange-sha256 (it shouldn't be, but this is just an example). Then you would run
sshd-config -k 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'
Previous setting for KexAlgorithms:
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
New setting for KexAlgorithms:
curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
Do you wish to make this change? (yes/no)
respond "yes" and the new list will go into effect.
Like i said before: be extra careful when you are modifying these values.
Note that this is a "cli" command, so you will have to login to each SMG instance and make the change.
Hope this helps.
Original Message:
Sent: Mar 24, 2022 09:20 AM
From: Margo Möls
Subject: Disabling old TLS protocols
Just applied patch "patch-10.7.5-291", but still weak key exchange/TLS ciphers are used. As I understand correctly that this patch only fixed this: "Administrators cannot change the Control Center's minimum TLS level using the cc-config command." but did not replaced old and weak TLS ciphers?
My settings:
WEB:
Protocols > Settings > SMTP > SSL restrictions:
Disable support for TLSv1.1 and earlier protocols in all SMTP TLS conversations
CLI:
controlcenter [10.7.5-4]> cc-config --status
Control center log level is WARN.
Compliance log retention is 30 days.
Port 443 is enabled.
Port 41080 is disabled.
Status of clientAuth is disabled.
set_tls_min_level is tls12
Original Message:
Sent: Feb 24, 2022 10:28 AM
From: Thomas Anderson
Subject: Disabling old TLS protocols
This is a known issue in 10.7.5. A patch was released on Tuesday that resolves this and other issues.
If you apply the patch and re-do the change, it should take effect.
Original Message:
Sent: Feb 24, 2022 06:10 AM
From: Lody Daalen
Subject: Disabling old TLS protocols
Hello,
So i disabled TLS 1.1 and all older version on my Symantec Messaging Gateway however a vulnerability scanner shows that old TLS is still being used. Also when i run a test from internet it looks like old TLS is still available.
Anyone ran into this problem before?
Thx!
Levd