Messaging Gateway

 View Only
Back to discussions
Expand all | Collapse all

Disabling old TLS protocols

  • 1.  Disabling old TLS protocols

    Posted Feb 24, 2022 06:10 AM
    Hello,

    So i disabled TLS 1.1 and all older version on my Symantec Messaging Gateway however a vulnerability scanner shows that old TLS is still being used. Also when i run a test from internet it looks like old TLS is still available.

    Anyone ran into this problem before?

    Thx!
    Levd


  • 2.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 06:56 AM
    Put the latest patch from smg on. It just came out.


    Original Message


  • 3.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 07:01 AM
    Running 10.7.5-4 and there is no new version. Maybe wait a bit?
    Original Message


  • 4.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 07:03 AM
    No. Get the latest patch. Go to. Your smg and run patch list command.


    Original Message


  • 5.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 07:24 AM
    im check on the web interface on version.
    Do i need to run a patch list command on de cli? and can you tell me the command?
    Original Message


  • 6.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 07:26 AM
    Cli. Run the command patch list


    Original Message


  • 7.  RE: Disabling old TLS protocols

    Broadcom Employee
    Posted Feb 24, 2022 10:29 AM
    This is a known issue in 10.7.5.  A patch was released on Tuesday that resolves this and other issues.
    If you apply the patch and re-do the change, it should take effect.
    Original Message


  • 8.  RE: Disabling old TLS protocols

    Posted Feb 24, 2022 10:32 AM
    Didn’t I say that like 4 hours ago. Lol


    Original Message


  • 9.  RE: Disabling old TLS protocols

    Posted Mar 24, 2022 09:20 AM

    Just applied patch "patch-10.7.5-291", but still weak key exchange/TLS ciphers are used.​​ As I understand correctly that this patch only fixed this: "Administrators cannot change the Control Center's minimum TLS level using the cc-config command." but did not replaced old and weak TLS ciphers?

    My settings:

    WEB:
    Protocols > Settings > SMTP > SSL restrictions:
    Disable support for TLSv1.1 and earlier protocols in all SMTP TLS conversations
    CLI:
    controlcenter [10.7.5-4]> cc-config --status
    Control center log level is WARN.
    Compliance log retention is 30 days.
    Port 443 is enabled.
    Port 41080 is disabled.
    Status of clientAuth is disabled.
    set_tls_min_level is tls12

    ​​

    Original Message


  • 10.  RE: Disabling old TLS protocols

    Broadcom Employee
    Posted Mar 24, 2022 02:43 PM

    I suspect the report regarding kex algorithms is probably due to it probing the ssh port/service and it's not related to TLS usage for HTTPS or SMTP/TLS (this is just my guess, so you should confirm by looking at your report).  If my guess turns out to be correct I would suggest you take a look at the "sshd-config" command line tool.  "sshd-config -v" will display all the current settings, for example:

    qa-r610-01 [10.7.5-4]> sshd-config -v
    Attribute 'protocol' is set to 'default'.
    Attribute 'ciphers' is set to '3des-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,rijndae l-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr'.
    Attribute 'macs' is set to 'hmac-sha2-256,hmac-sha2-512'.
    Attribute 'kexalgorithms' is set to 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ec dh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,di ffie-hellman-group18-sha512,diffie-hellman-group14-sha256'.

    You can modify the kexalgorithms by using the "-k" option and specifying a comma separated list of the algorithms you want to be in effect.
    STRONGLY recommend that you run the "-v" option first and save the output so that you can recover in case you accidentally "configure yourself out of the box"!  
    A sample session:  suppose you decide you determine that your audit is complaining about diffie-hellman-group-exchange-sha256 (it shouldn't be, but this is just an example).  Then you would run 

    sshd-config -k 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256'
    Previous setting for KexAlgorithms:
    curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
    New setting for KexAlgorithms:
    curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

    Do you wish to make this change? (yes/no)
    respond "yes" and the new list will go into effect.

    Like i said before:  be extra careful when you are modifying these values.

    Note that this is a "cli" command, so you will have to login to each SMG instance and make the change.
    Hope this helps.


    Original Message


  • 11.  RE: Disabling old TLS protocols

    Broadcom Employee
    Posted Mar 24, 2022 05:34 PM
    PS:  could you  please post here what algorithm(s) your audit is complaining about?  I'm really curious, since the values the product (at least at the 10.7.5 level) ship with are based on the IETF recommended kex algorithms from 2020 and I'm not aware of any of them being deprecated or downgraded. 
    Thanks!
    Original Message


  • 12.  RE: Disabling old TLS protocols

    Posted Mar 25, 2022 05:43 AM

    Hardenize.com, Section Email and TLS:

    I suspect changing SSH ciphers won't change these Email TLS parameters.

    Original Message


  • 13.  RE: Disabling old TLS protocols

    Posted 29 days ago

    I wonder if there is any update on this? I still get the vulnerability once in a while from Qualys..

    Im using the option "disable support for tls 1.1 and earlier versions" but still get QID 38863.

    How do i get rid of this vulnerability? Im running symantec messaging gateway 10.8.1-7 is there any new version? Its not available from the web gui and also from the cli when running "patch list" command there is no new version but only a repo error.


    Original Message


  • 14.  RE: Disabling old TLS protocols

    Posted 29 days ago
    Update to 10.9 and then use patch for 10.9. Then u should be awesome.


    Original Message


  • 15.  RE: Disabling old TLS protocols

    Posted 29 days ago

    Hi Alexander,

    How do i upgrade to 10.9 i dont see it available in Web Gui or Cli.

    Regards,

    Levd


    Original Message


  • 16.  RE: Disabling old TLS protocols

    Posted 29 days ago
    What version u on?


    Original Message


  • 17.  RE: Disabling old TLS protocols

    Posted 29 days ago

    10.8.1-7


    Original Message


  • 18.  RE: Disabling old TLS protocols

    Posted 29 days ago
    How to upgrade the Messaging Gateway (SMG) to a specific version or release <https: knowledge.broadcom.com/external/article/177700/how-to-upgrade-the-messaging-gateway-smg.html=""> knowledge.broadcom.com <https: knowledge.broadcom.com/external/article/177700/how-to-upgrade-the-messaging-gateway-smg.html=""> <https: knowledge.broadcom.com/external/article/177700/how-to-upgrade-the-messaging-gateway-smg.html="">


    Original Message


  • 19.  RE: Disabling old TLS protocols

    Broadcom Employee
    Posted 29 days ago

    TLS is used in more than one area of the Messaging Gateway and I didn't see clarification on exactly what you are having issues with. Some of the original information on this thread was for an issue specific to an older release. We haven't seen any issues in current releases, including 10.8.1. So, I recommend going through this document:

    Securing Messaging Gateway Best Practices

    If your issues persist, then open a support ticket. This is a general community board and not a place for technical support. There are non-Broadcom forum users that can post incorrect or misleading information here that can make corrective steps more difficult.



    ------------------------------
    ---------------------------------------------
    Support Engineer
    * Integrated Cyber Defense Exchange
    * Messaging Gateway
    * Packet Shaper
    Symantec Enterprise Division
    Broadcom Software
    ------------------------------

    Original Message


  • 20.  RE: Disabling old TLS protocols

    Posted 29 days ago
    I concur


    Original Message


  • 21.  RE: Disabling old TLS protocols

    Posted 29 days ago

    Thanks Alexander.

    Art_P I think you might be right with misleading or incorrect information however in the past 15 years or so we have had great support on the community forums at Symantec / Broadcom. Most of the time contacting "technical" support did not had the desired effect, to say the least. And known community members could help out much more effective.

    But anyway. 10.8.1-7 did not resolve the issue, and issues keeps coming back but i will take a look at your document. Also there is no new version available in web gui and not in cli (unable to access repo) 


    Original Message


  • 22.  RE: Disabling old TLS protocols

    Posted 29 days ago
    Upgrade and retest. Make sure you have good backups.


    Original Message


  • 23.  RE: Disabling old TLS protocols

    Posted 29 days ago

    I don't know how to get the update :)


    Original Message


  • 24.  RE: Disabling old TLS protocols

    Posted 29 days ago
    It’s in the doc I sent u


    Original Message