Jump to content

Archived

This topic is now archived and is closed to further replies.

RichardW

Query over TLS1.0

Recommended Posts

Hi,

we're currently trying to use "ESET File Security for Servers" and "ESET Security Management Center" within a PCI environment

one of the requirements of this is to avoid TLS1.0 and use TLS1.1 or TLS1.2 instead.

One of the things that showing up on the nessus port scan is that ESET Security Management Center is using TLS1.0 on ports 443 / 2222 / 2223

I have TLS1.0 disabled at the operating system level (within the registry) but is there any way to get ESET Security Management Center to use TLS1.1 or TLS1.2? (to disable the use of TLS1.0)

Share this post


Link to post
Share on other sites

You can accomplish this by enabling advanced security in the ESMC server setup and re-regenerating CA and peer certificates.

image.png

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

You can accomplish this by enabling advanced security in the ESMC server setup:

image.png

Hi Marcos this seems to fix ports 2222 and 2223

port 443 seems to flag up as still supporting TLS1.0 (for the web gui), will there be a way in the future to disable TLS1.0 on this port as well?

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

You can accomplish this by enabling advanced security in the ESMC server setup and re-regenerating CA and peer certificates.

image.png

If I do this now, what steps would I need to take in order for current clients to communicate correctly with ESMC?

Second question, why is this not on by default?

Maybe you could make checkbox in initial wizard to ask during deployment for protocol TLS 1.0, TLS 1.1 or TLS 1.2 ?

Share this post


Link to post
Share on other sites

Note I didn't have to make any changes to the clients to get it to work

generally for PCI TLS1.1 / TLS1.2 is fine, but TLS1.0 is a big no no

Share this post


Link to post
Share on other sites
4 hours ago, RichardW said:

port 443 seems to flag up as still supporting TLS1.0 (for the web gui), will there be a way in the future to disable TLS1.0 on this port as well?

Unfortunately this is not configurable via UI. It i actually part of Apache Tomcat configuration distributed with ESMC. Please check following KB3724 but just search for TLSv1 and you will understand what to search for in server.xml configuration file. There is no need to follow this KB as it is unrelated.

Regarding question why it TLS1 enabled by default - it is due to backward compatibility as ERA6 clients were using TLS layer provided by system itself, and we do still support older systems (Windows XP as an example, but also older Linux and macOS) which do not support TLS 1.2.

Share this post


Link to post
Share on other sites

Thanks for pointing me in the right direction, I'll have a look at that KB article

Share this post


Link to post
Share on other sites
14 hours ago, RichardW said:

Thanks for pointing me in the right direction, I'll have a look at that KB article

Hope that helps. Crucial parameters are:

sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA"

where you can limit not only TLS protocol but also list of supported cipher suites, even when we have already enabled only those most secure and considered as secure by various analysis tools.

Share this post


Link to post
Share on other sites

Thanks

I just needed to change

sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

to

sslEnabledProtocols="TLSv1.1,TLSv1.2"

within C:\Program Files\Apache Software Foundation\apache-tomcat-7.0.92\conf\server.conf

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...