how disable TLS 1.0 and TLS 1.1?

I've got DP10.04 installed. 

To my surprise, my company's security organization tells me that my DP10 clients are not compliant with security requirements because port 5555 has TLS 1.0 and TLS 1.1 enabled. (I've run the -secure_comm command between the clients and cell manager.)

When I run the following command, I get a syntax error:

omnicc -encr_param dp10client -tls_min 1.2

Anyone know how to disable tls 1.0 and tls 1.1 for clients? 

(BTW, anyone else love the way that some parameters in omnicc man page synopsis are documented, and some are not. And some parameters, like encr_param are documented, but aren't included in the synopsis section?)

Bob

  • Hello , 

    Secure comm is by default enabled and cannot be disabled on DP. 

    According to documentation, DP 10.04 use TLS 1.2: 

    https://docs.microfocus.com/itom/Data_Protector:10.04/Get_started/Concepts/c01-00about_dp_and_backup#AboutDataProtector

    • All communications between the different Data Protector entities are over a secure TLS 1.2 channel .

     

  • The documentation certainly does say that.

    However, when I run nmap on port 5555 on a DP10.04 client for which secure communications has been enabled between it and its cell manager, I get the following the following, which I think indicates that TLS 1.0 and TLS 1.1 are still enabled:

    5555/tcp open  ssl/freeciv?
    | ssl-enum-ciphers:
    |   SSLv3:
    |     ciphers:
    |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_RSA_WITH_IDEA_CBC_SHA - weak
    |       TLS_RSA_WITH_RC4_128_MD5 - strong
    |       TLS_RSA_WITH_RC4_128_SHA - strong
    |       TLS_RSA_WITH_SEED_CBC_SHA - strong
    |     compressors:
    |       NULL
    |   TLSv1.0:
    |     ciphers:
    |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_RSA_WITH_IDEA_CBC_SHA - weak
    |       TLS_RSA_WITH_RC4_128_MD5 - strong
    |       TLS_RSA_WITH_RC4_128_SHA - strong
    |       TLS_RSA_WITH_SEED_CBC_SHA - strong
    |     compressors:
    |       NULL
    |   TLSv1.1:
    |     ciphers:
    |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_RSA_WITH_IDEA_CBC_SHA - weak
    |       TLS_RSA_WITH_RC4_128_MD5 - strong
    |       TLS_RSA_WITH_RC4_128_SHA - strong
    |       TLS_RSA_WITH_SEED_CBC_SHA - strong
    |     compressors:
    |       NULL
    |   TLSv1.2:
    |     ciphers:
    |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_RSA_WITH_IDEA_CBC_SHA - weak
    |       TLS_RSA_WITH_RC4_128_MD5 - strong
    |       TLS_RSA_WITH_RC4_128_SHA - strong
    |       TLS_RSA_WITH_SEED_CBC_SHA - strong
    |     compressors:
    |       NULL
    |_  least strength: weak

     

    In contrast, when I perform that same port scan on another server that I know has only TLS 1.2 enabled, I get the following:

    443/tcp open  https
    | ssl-enum-ciphers:
    |   TLSv1.2:
    |     ciphers:
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
    |     compressors:
    |       NULL
    |_  least strength: strong

     

    So, while the DP10 client is only enabled to run TLS 1.2 communications with its cell manager, corporate port scanning still thinks that vulnerable protocols are available on port 5555. 

    Please correct me if I'm wrong..

     

     

  • Hello

    Please open a support case, this is a known issue that is being investigated and design changes are needed. But keep in mind that even when protocol is listening communication is not possible if you try connect attempt will be rejected.

     

    Best Regards