Loading...

Knowledge Center


How to disable SSLv3 on Email Gateway
Technical Articles ID:   KB83165
Last Modified:  3/4/2016
Rated:


Environment

McAfee Email Gateway (MEG) 7.6

Summary

By default, MEG allows negotiation of secure connections via SSLv3. Perform the steps in this article to disable SSLv3 connections.

Solution

This resolution requires that you have installed MEG 7.6.2H1008011 (3044.109) or later.

IMPORTANT: MEG-7.6.2h1010246-3044.119 does not include the fix in MEG-7.6.2h1008011-3044.109.

IMPORTANT:
  • If you are using ePO to manage your appliance, you must follow the process documented in KB82606 to avoid ePO overwriting your configuration changes.
  • Technical Support recommends that you save the configuration file from the appliance and store a backup copy in a separate location. Edit a copy of the configuration file, and always keep a current version in a safe place.
  • For details about saving, editing, and restoring the appliance configuration file, follow the instructions in KB56323.


To disable SSLv3 for SMTP:
  1. Export the Appliance configuration file and extract config\machine.xml:
    1. Create a new folder and assign a descriptive name.
    2. Log on to the Appliance Management Console and select System, System Administration, Configuration Management.
    3. Click Backup Config, and then click the link to save the configuration. Save the configuration to the new folder.

      NOTE:
      The numbers in the name of the configuration file change with new versions and updates.
       
    4. Save a copy of the configuration zip file to a backup location.
    5. Right-click the configuration file and select Open with WinZip.
    6. Locate and extract config\machine.xml file to your new folder.

      NOTE:
       Ensure that you do not extract the full zip file, only the XML file to be edited. Extracting the full configuration can cause corruption in the MEG Appliance configuration.
       
  2. Edit the machine.xml configuration file:
    1. Right-click machine.xml and select Open with Wordpad.
    2. Search for ForbiddenProtocols. The entry will be in the following text section:

      <List name="ForbiddenProtocols" type="nstr">
      <Attr name="0" value="SSLv2"/>
      </List>
    3. Change the entry to read as follows:

      <List name="ForbiddenProtocols" type="nstr">
      <Attr name="0" value="SSLv2"/>
      <Attr name="1" value="SSLv3"/>
      </List>
    4. Click Save.
    5. Update the MEG Appliance configuration zip file with the edited machine.xml.
       
  3. Restore the configuration file to the Appliance:
    1. Log on to the Appliance Management Console and select System, System Administration, Configuration Management, Backup and Restore Configuration.
    2. Click Restore from File, locate the updated configuration zip file, and click OK.
    3. Select the values to restore and click OK.
    4. Click Close.
    5. Click Apply Changes.
    6. Type a comment and click OK.

Solution

This resolution requires that you have installed MEG 7.6.2H1008011 (3044.109) or later.

IMPORTANT: MEG-7.6.2h1010246-3044.119 does not include the fix in MEG-7.6.2h1008011-3044.109.

IMPORTANT:
  • If you are using ePO to manage your appliance, you must follow the process documented in KB82606 to avoid ePO overwriting your configuration changes.
  • Technical Support recommends that you save the configuration file from the appliance and store a backup copy in a separate location. Edit a copy of the configuration file, and always keep a current version in a safe place.
  • For details about saving, editing, and restoring the appliance configuration file, follow the instructions in KB56323.


To disable block-based ciphers for the Management Console or the Secure Web Mail service on the MEG:

  1. Export the Appliance configuration file and extract config\network.xml:
    1. Create a new folder and assign a descriptive name.
    2. Log on to the Appliance Management Console and select System, System Administration, Configuration Management.
    3. Click Backup Config, and then click the link to save the configuration. Save the configuration to the new folder.

      NOTE:
      The numbers in the name of the configuration file change with new versions and updates.
       
    4. Save a copy of the configuration zip file to a backup location.
    5. Right-click the configuration file and select Open with WinZip.
    6. Locate and extract config\network.xml file to your new folder.

      NOTE:
       Ensure that you do not extract the full zip file, only the XML file to be edited. Extracting the full configuration can cause corruption in the MEG Appliance configuration.
       
  2. Edit the network.xml configuration file:
    1. Right-click network.xml and select Open with Wordpad.
    2. Search for httpd. The entry will be in the following text section:

      <Settings name="httpd-settings" type="Product" version="3.1">
                <Attr name="Ciphers" type="nstr" value="RC4-SHA:RC4-MD5:HIGH:!aNULL:!DSS"/>

      or

      <Settings name="httpd-wmc-settings" type="Product" version="3.1">
                <Attr name="Ciphers" type="nstr" value="RC4-SHA:RC4-MD5:HIGH:!aNULL:!DSS"/>
       
    3. Change the entry to read as follows:

      IMPORTANT: Before you activate this rule, ensure that you do not have RC4 blocked on your web browser. If RC4 is blocked, you will be locked out of the Appliance.

      <Attr name="Ciphers" type="nstr" value="TLSv1.2:RC4-SHA:!aNULL:!PSK:!KRB5:!eNULL"/>
       
       
    4. Click Save.
    5. Update the MEG Appliance configuration zip file with the edited network.xml.
       
  3. Restore the configuration file to the Appliance:
    1. Log on to the Appliance Management Console and select System, System Administration, Configuration Management, Backup and Restore Configuration.
    2. Click Restore from File, locate the updated configuration zip file, and click OK.
    3. Select the values to restore and click OK.
    4. Click Close.
    5. Click Apply Changes.
    6. Type a comment and click OK.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.