Query over TLS1.0

[RichardW 3]

Hi,

we're currently trying to use "ESET File Security for Servers" and "ESET Security Management Center" within a PCI environment

one of the requirements of this is to avoid TLS1.0 and use TLS1.1 or TLS1.2 instead.

One of the things that showing up on the nessus port scan is that ESET Security Management Center is using TLS1.0 on ports 443 / 2222 / 2223

I have TLS1.0 disabled at the operating system level (within the registry) but is there any way to get ESET Security Management Center to use TLS1.1 or TLS1.2? (to disable the use of TLS1.0)

[Marcos 5,070]

You can accomplish this by enabling advanced security in the ESMC server setup and re-regenerating CA and peer certificates.

[RichardW 3]

aha thanks

[RichardW 3]

1 hour ago, Marcos said:

You can accomplish this by enabling advanced security in the ESMC server setup:

Hi Marcos this seems to fix ports 2222 and 2223

port 443 seems to flag up as still supporting TLS1.0 (for the web gui), will there be a way in the future to disable TLS1.0 on this port as well?

[bbahes 29]

1 hour ago, Marcos said:

You can accomplish this by enabling advanced security in the ESMC server setup and re-regenerating CA and peer certificates.

If I do this now, what steps would I need to take in order for current clients to communicate correctly with ESMC?

Second question, why is this not on by default?

Maybe you could make checkbox in initial wizard to ask during deployment for protocol TLS 1.0, TLS 1.1 or TLS 1.2 ?

[RichardW 3]

Note I didn't have to make any changes to the clients to get it to work

generally for PCI TLS1.1 / TLS1.2 is fine, but TLS1.0 is a big no no

[MartinK 378]

4 hours ago, RichardW said:

port 443 seems to flag up as still supporting TLS1.0 (for the web gui), will there be a way in the future to disable TLS1.0 on this port as well?

Unfortunately this is not configurable via UI. It i actually part of Apache Tomcat configuration distributed with ESMC. Please check following KB3724 but just search for TLSv1 and you will understand what to search for in server.xml configuration file. There is no need to follow this KB as it is unrelated.

Regarding question why it TLS1 enabled by default - it is due to backward compatibility as ERA6 clients were using TLS layer provided by system itself, and we do still support older systems (Windows XP as an example, but also older Linux and macOS) which do not support TLS 1.2.

Edited April 26, 2019 by MartinK

[RichardW 3]

Thanks for pointing me in the right direction, I'll have a look at that KB article

[MartinK 378]

14 hours ago, RichardW said:

Thanks for pointing me in the right direction, I'll have a look at that KB article

Hope that helps. Crucial parameters are:

sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA"

where you can limit not only TLS protocol but also list of supported cipher suites, even when we have already enabled only those most secure and considered as secure by various analysis tools.

[RichardW 3]

Thanks

I just needed to change

sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

to

sslEnabledProtocols="TLSv1.1,TLSv1.2"

within C:\Program Files\Apache Software Foundation\apache-tomcat-7.0.92\conf\server.conf