Problem
A security bug affecting SSL 3.0 was released on October 14, 2014.
Solution
The DCS 6.0.x and CSP 5.2.9 Manager utilize a version of SSL 3.0 that is susceptible to POODLE. Customers should add the entry sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″ to <server install>\tomcat\conf\server.xml. All future release will contain this change by default.
Recommend steps:
- Stop CSP/DCS manager service
- Take backup of Server.xml file
- Edit the server.xml file to make the suggested changes using xml editors to ensure that double quotes (“) with appropriate encoding will be used.
- Start CSP/DCS manager service
CSP Server 5.2.9 MP1 – MP5 (having Tomcat 7.x)
DCS:SA Server 6.0, 6.0 MP1 (having Tomcat 7.x)
The entry sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″ needs to be added to the three SSL Connector configured in server.xml.
These SSL Connectors are for the:
- Tomcat Stand-Alone Agent Service
- Tomcat Stand-Alone Console Service
- Tomcat Stand-Alone Service
The following example shows this change:
<Connector port=”%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%”
maxThreads=”200″ minSpareThreads=”50″ enableLookups=”false” disableUploadTimeout=”true” maxKeepAliveRequests=”1″
acceptCount=”25″ scheme=”https” secure=”true” SSLEnabled=”true”
keystorePass=”<KeyStorePassword>”
keystoreFile=”<KeyStoreFilePath>”
clientAuth=”false” sslProtocol=”TLS” sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″
ciphers=”%comma_separated_list_of_ciphers%”/>
<Connector port=”%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%”
maxThreads=”40″ minSpareThreads=”10″ enableLookups=”false”
disableUploadTimeout=”true” maxKeepAliveRequests=”1″
acceptCount=”10″ scheme=”https” secure=”true” SSLEnabled=”true”
keystorePass=”<KeyStorePassword>”
keystoreFile=”<KeyStoreFilePath>”
clientAuth=”false” sslProtocol=”TLS” sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2″
ciphers=”%comma_separated_list_of_ciphers%”/>
CSP Server 5.2.8 – 5.2.8 MP4 and 5.2.9 (having tomcat 5.x):
The entry sslProtocols=”TLSv1,TLSv1.1,TLSv1.2″ needs to be added to the following SSL Connector configured in server.xml.
- Tomcat Stand-Alone Service
The entry sslProtocols=”SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2″ needs to be added to the following SSL Connector configured in server.xml.
- Tomcat Stand-Alone Console Service
- Tomcat Stand-Alone Agent Service
The following example shows this change:
<Connector port=”%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%”
maxThreads=”200″ minSpareThreads=”50″ maxSpareThreads=”100″
enableLookups=”false” disableUploadTimeout=”true” maxKeepAliveRequests=”1″
acceptCount=”25″ debug=”0″ scheme=”https” secure=”true”
keystorePass=”<KeyStorePassword>”
keystoreFile=”<KeyStoreFilePath>”
clientAuth=”false” sslProtocol=”TLS” sslProtocols=”SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2″
ciphers=”%comma_separated_list_of_ciphers%”/>
<Connector port=”%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%”
maxThreads=”40″ minSpareThreads=”10″ maxSpareThreads=”25″
enableLookups=”false” disableUploadTimeout=”true” maxKeepAliveRequests=”1″
acceptCount=”10″ debug=”0″ scheme=”https” secure=”true”
keystorePass=”<KeyStorePassword>”
keystoreFile=”<KeyStoreFilePath>”
clientAuth=”false” sslProtocol=”TLS” sslProtocols=”SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2″
ciphers=”%comma_separated_list_of_ciphers%”/>
<Connector port=”%AGENT_PORT% / %CONSOLE_PORT% / %ADMIN_PORT%”
maxThreads=”55″ minSpareThreads=”5″ maxSpareThreads=”8″
enableLookups=”false” acceptCount=”10″ maxKeepAliveRequests=”1″ debug=”0″
connectionTimeout=”20000″ scheme=”https” disableUploadTimeout=”true” secure=”true”
keystorePass=”<KeyStorePassword>”
keystoreFile=”<KeyStoreFilePath>”
clientAuth=”false” sslProtocol=”TLS” sslProtocols=”TLSv1,TLSv1.1,TLSv1.2″
ciphers=”%comma_separated_list_of_ciphers%”/>
—
This issue has been addressed in SCSP 5.2.9 MP6
Symantec Critical System Protection 5.2 RU9 MP6 uses only the TLSv1x protocol to communicate among the server, agent, and console.
—
References
https://support.symantec.com/en_US/article.TECH225827.html