If you run a vulnerability scan or otherwise detect that Transport Layer Security (TLS) 1.0 is enabled on your ePO server, we recommend upgrading to ePO 5.10 Update 11 or later. This advice applies to the following common flags on Nessus or Qualsys:
Qualys QID-38628: SSL/TLS Server supports TLSv1.0.
Nessus PluginID 104743: TLS Version 1.0 Protocol Detection
The same applies if you run a scan or otherwise detect that ePO is using insecure static key ciphers.
Starting with ePO 5.10 Update 11, the TLS version 1.0 (RFC 2246) and 1.1 (RFC 4346) are disabled by default in ePO. Some RSA Static Key ciphers are removed from the cipher list. Communication between the Agent Handler and MA 4.8 requires TLS 1.0, thus disabling TLS 1.0 breaks the MA 4.8 ability to communicate with the Apache service on the ePO server and Agent Handlers.
MA 5.5.x and 5.0.x negotiates a static key cipher in its TLS handshake to ePO's Tomcat service on port 8443. A manual action can be taken to provision the agent using the maconfig command line interface (CLI). The manual action only impacts the manual provisioning process, and doesn’t apply to these agent versions agent-to-server communication.
To successfully provision MA 5.5.x or MA 5.0.x manually using the maconfig CLI, you must edit the server.xml used by Tomcat, and add one other cipher.
If you want to allow MA 4.8 to communicate with the Apache service on an agent handler, you must enable TLS 1.0, and two static key ciphers.
MA 5.5.x and MA 5.0.x are also EOL, except MA 5.0.3 which is supported only on the POSReady 2009, Windows XP Embedded, and Windows Embedded Point of Service (WEPOS) operating systems.
See the related article: KB91134 - End of Life for McAfee Agent 5.5.x, 5.0.x.
DXL broker's installed using OVA or ISO, also known as the DXL Broker Appliance, have MA 5.5.1 bundled with them, and are impacted with this issue.
If you have a DXL Broker Appliance that is communicating with ePO, you can update the agent on the appliance using a standard product deployment task. For details, see the McAfee Agent Installation Guide for guidance.
The following applies if you’re setting up a new DXL Broker Appliance, or if you never successfully provisioned the agent on your existing DXL Broker Appliance: You must follow the guidance in the section below titled Enabling MA 5.0.x - 5.5.x to be provisioned with ePO 5.10 Update 11 and later. That section uses the maconfig command line interface to provision the agent on the DXL Broker Appliance.
MA 5.5.0 and later can be provisioned using the CLI, and communicate using TLS 1.2. It does so with the revised cipher suites included in ePO 5.10 Update 11.
Follow the instructions in the relevant section below to either:
Allow legacy agents to work with ePO 5.10 Update 11 or later.
Or
If you need to disable TLS 1.0 and 1.1 for older versions of ePO, but can't upgrade to ePO 5.10 Update 11 or later.
Contents:
Click to expand the section you want to view:
These instructions must be done on the ePO server and all remote agent handlers:
Log on to the ePO server.
Go to one of the folders below:
32-bit: C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\
Or
64-bit: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\
Edit the file ssl.conf, and change the line:
From: SSLProtocol +TLSv1.2
To: SSLProtocol all -SSLv3 -SSLv2
Search for SSLCipherSuite in the ssl.conf file, and replace the entire line with the content below:
IMPORTANT: Don’t include any page breaks, or extra characters.
Save the changes to the ssl.conf file.
Restart the Agent Handler (Apache Service).
These instructions need to be followed on the ePO server; they don’t apply to agent handlers:
Go to: <ePO_installation_folder>\Server\conf
Create a backup of the file server.xml file.
Edit the file server.xml and add the TLS_RSA_WITH_AES_128_CBC_SHA cipher to the list of ciphers allowed by the Connector element for the port you use to access the ePO console. By default, the port is 8443.
Open the file server.xml.
Within the Connector element for Port 8443, locate the section ciphers=.
Add TLS_RSA_WITH_AES_128_CBC_SHA to the list, separating it from the other ciphers in the list with a comma and a space.
Below is an example of what the entire set of ciphers in that XML element must look like, after the change on an ePO 5.10 update 11 server:
From:SSLProtocol all -SSLv3 -SSLv2
To: SSLProtocol +TLSv1.2
Restart the Agent Handler (Apache Service):
Press the Windows key + R.
Type services.msc into the field and press Enter.
Right-click the ePO service below, and select Restart:
McAfee ePolicy Orchestrator 5.#.# Server
Close the services window.
Remote Agent Handler:Disabling TLS 1.0 and 1.1 for Tomcat
Use the instructions below to disable TLS 1.0 or TLS 1.1 for the ePO Application Server service (Tomcat). This service listens on port 8443 or 8444 by default.
From: SSLProtocol all -SSLv3 -SSLv2
To: SSLProtocol +TLSv1.2
Restart the Agent Handler (Apache Service).
Go to: <ePO_installation_folder>\Server\conf
Create a backup of the fileserver.xml.
Edit the file server.xml and update the sslProtocol and sslEnabledProtocolsattributes for the specified Connector elements:
Open the file server.xml.
Within each Connector element, modify the sslProtocoland sslEnabledProtocols attributes as shown in the example below. NOTE: Perform the step for both Tomcat listening ports 8443 and 8444.