RichardW 3 Posted April 26, 2019 Share Posted April 26, 2019 Hi, we're currently trying to use "ESET File Security for Servers" and "ESET Security Management Center" within a PCI environment one of the requirements of this is to avoid TLS1.0 and use TLS1.1 or TLS1.2 instead. One of the things that showing up on the nessus port scan is that ESET Security Management Center is using TLS1.0 on ports 443 / 2222 / 2223 I have TLS1.0 disabled at the operating system level (within the registry) but is there any way to get ESET Security Management Center to use TLS1.1 or TLS1.2? (to disable the use of TLS1.0) Gtt 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,278 Posted April 26, 2019 Administrators Share Posted April 26, 2019 You can accomplish this by enabling advanced security in the ESMC server setup and re-regenerating CA and peer certificates. Peter Randziak 1 Link to comment Share on other sites More sharing options...
RichardW 3 Posted April 26, 2019 Author Share Posted April 26, 2019 aha thanks Link to comment Share on other sites More sharing options...
RichardW 3 Posted April 26, 2019 Author Share Posted April 26, 2019 1 hour ago, Marcos said: You can accomplish this by enabling advanced security in the ESMC server setup: Hi Marcos this seems to fix ports 2222 and 2223 port 443 seems to flag up as still supporting TLS1.0 (for the web gui), will there be a way in the future to disable TLS1.0 on this port as well? Link to comment Share on other sites More sharing options...
bbahes 29 Posted April 26, 2019 Share Posted April 26, 2019 1 hour ago, Marcos said: You can accomplish this by enabling advanced security in the ESMC server setup and re-regenerating CA and peer certificates. If I do this now, what steps would I need to take in order for current clients to communicate correctly with ESMC? Second question, why is this not on by default? Maybe you could make checkbox in initial wizard to ask during deployment for protocol TLS 1.0, TLS 1.1 or TLS 1.2 ? Link to comment Share on other sites More sharing options...
RichardW 3 Posted April 26, 2019 Author Share Posted April 26, 2019 Note I didn't have to make any changes to the clients to get it to work generally for PCI TLS1.1 / TLS1.2 is fine, but TLS1.0 is a big no no Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted April 26, 2019 ESET Staff Share Posted April 26, 2019 (edited) 4 hours ago, RichardW said: port 443 seems to flag up as still supporting TLS1.0 (for the web gui), will there be a way in the future to disable TLS1.0 on this port as well? Unfortunately this is not configurable via UI. It i actually part of Apache Tomcat configuration distributed with ESMC. Please check following KB3724 but just search for TLSv1 and you will understand what to search for in server.xml configuration file. There is no need to follow this KB as it is unrelated. Regarding question why it TLS1 enabled by default - it is due to backward compatibility as ERA6 clients were using TLS layer provided by system itself, and we do still support older systems (Windows XP as an example, but also older Linux and macOS) which do not support TLS 1.2. Edited April 26, 2019 by MartinK Peter Randziak 1 Link to comment Share on other sites More sharing options...
RichardW 3 Posted April 26, 2019 Author Share Posted April 26, 2019 Thanks for pointing me in the right direction, I'll have a look at that KB article Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted April 27, 2019 ESET Staff Share Posted April 27, 2019 14 hours ago, RichardW said: Thanks for pointing me in the right direction, I'll have a look at that KB article Hope that helps. Crucial parameters are: sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA" where you can limit not only TLS protocol but also list of supported cipher suites, even when we have already enabled only those most secure and considered as secure by various analysis tools. Peter Randziak 1 Link to comment Share on other sites More sharing options...
RichardW 3 Posted April 29, 2019 Author Share Posted April 29, 2019 Thanks I just needed to change sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" to sslEnabledProtocols="TLSv1.1,TLSv1.2" within C:\Program Files\Apache Software Foundation\apache-tomcat-7.0.92\conf\server.conf Peter Randziak 1 Link to comment Share on other sites More sharing options...
Recommended Posts