This document describes the support position of Sustaining Engineering relative to a McAfee application.
Overview
This document addresses concerns about ePO server, Agent Handler, and McAfee Agent support for
Transport Layer Security (TLS) 1.2.
Description
TLS versions 1.0 (
RFC 2246) and 1.1 (
RFC 4346) include cipher suites based on the DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA are no longer recommended for general use in TLS, and have been removed from TLS 1.2.
NOTE: The above also applies to items listed below:
- Qualys QID-38628: SSL/TLS Server supports TLSv1.0.
- Nessus PluginID 104743: TLS Version 1.0 Protocol Detection
Research and Conclusions
Communication between the Agent Handler and McAfee Agent 4.8 uses TLS 1.0, and disabling TLS 1.0 breaks the McAfee Agent 4.8 ability to communicate with the ePO server/Agent Handlers.
IMPORTANT: McAfee Agent 4.8 is End of Life (Excluding HP-UX, AIX, and Solaris). MA 4.8 can use only TLS 1.0. It is not possible to configure it to communicate using TLS 1.2 with the ePO server/Agent Handler with the current implementation. Upgrade to the newer McAfee Agent 5.x that supports TLS 1.2.
By default, McAfee Agent 5.x communicates using TLS 1.2. It does so as long as the ePO server, and the Agent Handler supports TLS 1.2. When the server does not support TLS 1.2, MA switches to TLS 1.1, and then to TLS 1.0.
The following workaround forces McAfee Agent 5.x agents to communicate using only TLS 1.2 with Agent Handlers (local and remote).
Local Agent Handler:
- Log on to the ePO server.
- Navigate to the following folder:
32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\"
64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\"
- Edit the file ssl.conf and change the following line:
From: SSLProtocol all -SSLv3 -SSLv2
- Restart the Agent Handler (Apache Service).
Remote Agent Handler:
- Log on to the remote Agent Handler.
- Navigate to the following Agent Handler folder:
32-bit: "C:\Program Files\McAfee\Agent Handler\Apache2\conf\"
64-bit: "C:\Program Files (x86)\McAfee\Agent Handler\Apache2\conf\"
- Edit the file ssl.conf and change the following line:
From: SSLProtocol all -SSLv3 -SSLv2
- Restart the Agent Handler (Apache Service).
Disabling TLS 1.0 and 1.1 for Tomcat
You can also disable TLS 1.0 or TLS 1.1 for the ePO Application Server service (Tomcat), which listens on port 8443 or 8444 by default, using the following instructions:
WARNING: By following these instructions, you might render some older browser versions unable to access the ePO console because they might not be compatible with TLS 1.2.
- Navigate to: <ePO_installation_folder>\Server\conf
- Create a backup of the file server.xml.
- Edit the file server.xml and update the sslProtocol and sslEnabledProtocols attributes for the specified Connector elements:
- Open the file server.xml.
- Within each Connector element, modify the sslProtocol and sslEnabledProtocols attributes as shown in the following example. Perform this step for both Tomcat listening ports 8443 and 8444.
ePO 5.3 example:
clientAuth="want" disableUploadTimeout="true"
enableLookups="false" id="orion.server.https"
keystoreFile="keystore/server.keystore"
keystorePass="snowcap" maxHttpHeaderSize="8192"
maxThreads="250" minSpareThreads="25" port="8443"
scheme="https" secure="true" server="Undefined"
sessionCacheSize="400" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
NOTES:
- To disable only TLS 1.0 and leave TLS 1.1 enabled, the sslEnabledProtocols entry would look like this: sslEnabledProtocols="TLSv1.1,TLSv1.2"
- If the sslEnabledProtocols attribute does not exist, add it immediately following the sslProtocol attribute.
- Restart the McAfee ePolicy Orchestrator 5.x Application Server service.
Disclaimer
Any future product release dates mentioned in this statement are intended to outline our general product direction. It can't be relied on in making a purchasing decision:
- The product release dates are for information purposes only, and might not be incorporated into any contract.
- The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality.
- The development, release, and timing of any features or functionality described for our products remains at our sole discretion. They might be changed or canceled at any time.
Related keyword: CVE-2009-3555