This document describes the support position of Sustaining Engineering relative to a McAfee application.

Overview
This document addresses concerns about ePO server, Agent Handler, and McAfee Agent support for Transport Layer Security (TLS) 1.2. 

Description
TLS versions 1.0 (RFC 2246) and 1.1 (RFC 4346) include cipher suites based on the DES (Data Encryption Standard) and IDEA (International Data Encryption Algorithm) algorithms. DES and IDEA are no longer recommended for general use in TLS, and have been removed from TLS 1.2.

NOTE: The above also applies to items listed below: 

Research and Conclusions

Communication between the Agent Handler and McAfee Agent 4.8 uses TLS 1.0, and disabling TLS 1.0 breaks the McAfee Agent 4.8 ability to communicate with the ePO server/Agent Handlers.

 

IMPORTANT: McAfee Agent 4.8 is End of Life (Excluding HP-UX, AIX, and Solaris). MA 4.8 can use only TLS 1.0. It is not possible to configure it to communicate using TLS 1.2 with the ePO server/Agent Handler with the current implementation. Upgrade to the newer McAfee Agent 5.x that supports TLS 1.2.

 

By default, McAfee Agent 5.x communicates using TLS 1.2. It does so as long as the ePO server, and the Agent Handler supports TLS 1.2. When the server does not support TLS 1.2, MA switches to TLS 1.1, and then to TLS 1.0.

 

The following workaround forces McAfee Agent 5.x agents to communicate using only TLS 1.2 with Agent Handlers (local and remote).

 

Disabling TLS 1.0 and 1.1 for Tomcat
You can also disable TLS 1.0 or TLS 1.1 for the ePO Application Server service (Tomcat), which listens on port 8443 or 8444 by default, using the following instructions:

WARNING: By following these instructions, you might render some older browser versions unable to access the ePO console because they might not be compatible with TLS 1.2. 

1. Navigate to: <ePO_installation_folder>\Server\conf
2. Create a backup of the file server.xml.
3. Edit the file server.xml and update the sslProtocol and sslEnabledProtocols attributes for the specified Connector elements:
   1. Open the file server.xml.
   2. Within each Connector element, modify the sslProtocol and sslEnabledProtocols attributes as shown in the following example. Perform this step for both Tomcat listening ports 8443 and 8444. 
      
      ePO 5.3 example:
       
      clientAuth="want" disableUploadTimeout="true"
      enableLookups="false" id="orion.server.https"
      keystoreFile="keystore/server.keystore"
      keystorePass="snowcap" maxHttpHeaderSize="8192"
      maxThreads="250" minSpareThreads="25" port="8443"
      scheme="https" secure="true" server="Undefined"
      sessionCacheSize="400" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
       
      NOTES: 

      • To disable only TLS 1.0 and leave TLS 1.1 enabled, the sslEnabledProtocols entry would look like this: sslEnabledProtocols="TLSv1.1,TLSv1.2"
      • If the sslEnabledProtocols attribute does not exist, add it immediately following the sslProtocol attribute. 
4. Restart the McAfee ePolicy Orchestrator 5.x Application Server service.

• The product release dates are for information purposes only, and might not be incorporated into any contract.
• The product release dates are not a commitment, promise, or legal obligation to deliver any material, code, or functionality.
• The development, release, and timing of any features or functionality described for our products remains at our sole discretion. They might be changed or canceled at any time.

Related keyword: CVE-2009-3555