DCE Server Build: 8.2.0.239 and TLS violation

Barliman_apc_customer · 3 weeks ago

Server is running in a VM.

I just ran a Qualys scan and it returned:
"TLSv1.0 is supported"

How do I disable various TLS versions. We need to use, at minimum, only TLS1.2, but do want to move to 1.3 as that's what all our NMC's now support.

I checked System -> Server Administration Settings -> Server Access, but can't find anything there to select TLS version.

Regards,

Tom

APC_Steve · 3 weeks ago

Hi @Barliman_apc_customer

There is no option in current DCE versions to disable specific versions of TLS.
If you go to "System"-->"Server Administration Settings"-->"Server Access"-->"Security Policy",

You have a few options for security. The most stringent of which being "Future".
With this setting, 1.0 and 1.1 are disabled.

Please keep in mind that if you have older APC network management cards, they may require the older versions of TLS. This is the main reason some older protocols are still available as older cards may not have the ability to be updated to use the newer protocols.

Please note that most of the policies are based on Linux security:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/security_hardening/using-th...

Thanks,
Steve

P.S.
FIPS is actually the most secure but the server must be initially deployed with that setting. If you've upgraded from earlier versions, this is not an option.