Messaging Gateway

 View Only
Expand all | Collapse all

Disabling old TLS protocols

  • 1.  Disabling old TLS protocols

    Posted Feb 24, 2022 06:10 AM
    Hello,

    So i disabled TLS 1.1 and all older version on my Symantec Messaging Gateway however a vulnerability scanner shows that old TLS is still being used. Also when i run a test from internet it looks like old TLS is still available.

    Anyone ran into this problem before?

    Thx!
    Levd


  • 2.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 06:56 AM
    Put the latest patch from smg on. It just came out.




  • 3.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 07:01 AM
    Running 10.7.5-4 and there is no new version. Maybe wait a bit?


  • 4.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 07:03 AM
    No. Get the latest patch. Go to. Your smg and run patch list command.




  • 5.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 07:24 AM
    im check on the web interface on version.
    Do i need to run a patch list command on de cli? and can you tell me the command?


  • 6.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 07:26 AM
    Cli. Run the command patch list




  • 7.  RE: Disabling old TLS protocols

    Broadcom Employee
    Posted Feb 24, 2022 10:29 AM
    This is a known issue in 10.7.5.  A patch was released on Tuesday that resolves this and other issues.
    If you apply the patch and re-do the change, it should take effect.


  • 8.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 10:32 AM
    Didn’t I say that like 4 hours ago. Lol




  • 9.  RE: Disabling old TLS protocols

    Posted Mar 24, 2022 09:20 AM

    Just applied patch "patch-10.7.5-291", but still weak key exchange/TLS ciphers are used.​​ As I understand correctly that this patch only fixed this: "Administrators cannot change the Control Center's minimum TLS level using the cc-config command." but did not replaced old and weak TLS ciphers?

    My settings:

    WEB:
    Protocols > Settings > SMTP > SSL restrictions:
    Disable support for TLSv1.1 and earlier protocols in all SMTP TLS conversations
    CLI:
    controlcenter [10.7.5-4]> cc-config --status
    Control center log level is WARN.
    Compliance log retention is 30 days.
    Port 443 is enabled.
    Port 41080 is disabled.
    Status of clientAuth is disabled.
    set_tls_min_level is tls12

    ​​



  • 10.  RE: Disabling old TLS protocols

    Broadcom Employee
    Posted Mar 24, 2022 02:43 PM

    I suspect the report regarding kex algorithms is probably due to it probing the ssh port/service and it's not related to TLS usage for HTTPS or SMTP/TLS (this is just my guess, so you should confirm by looking at your report).  If my guess turns out to be correct I would suggest you take a look at the "sshd-config" command line tool.  "sshd-config -v" will display all the current settings, for example:

    qa-r610-01 [10.7.5-4]> sshd-config -v
    Attribute 'protocol' is set to 'default'.
    Attribute 'ciphers' is set to '3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndae l-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr'.
    Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
    Attribute 'kexalgorithms' is set to 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ec dh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,di ffie-hellman-group18-sha512,diffie-hellman-group14-sha256'.

    You can modify the kexalgorithms by using the "-k" option and specifying a comma separated list of the algorithms you want to be in effect.
    STRONGLY recommend that you run the "-v" option first and save the output so that you can recover in case you accidentally "configure yourself out of the box"!  
    A sample session:  suppose you decide you determine that your audit is complaining about diffie-hellman-group-exchange-sha256 (it shouldn't be, but this is just an example).  Then you would run 

    sshd-config -k 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'
    Previous setting for KexAlgorithms:
    curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
    New setting for KexAlgorithms:
    curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

    Do you wish to make this change? (yes/no)
    respond "yes" and the new list will go into effect.

    Like i said before:  be extra careful when you are modifying these values.

    Note that this is a "cli" command, so you will have to login to each SMG instance and make the change.
    Hope this helps.




  • 11.  RE: Disabling old TLS protocols

    Broadcom Employee