Enable TLS 1.2 strong cipher suites

Enabling strong cipher suites allows you to be certain that all of the communications to and from your Deep Security components are secure. If a malicious user were to create a connection to your system over a communications channel that uses weak cipher suites, this person could exploit the known weaknesses in these suites to put your system and information at risk.

This page describes how to update the Deep Security Manager, Deep Security Agent and Deep Security Relay so that they use the TLS 1.2 strong cipher suites. These cipher suites have an Advanced+ (A+) rating, and are listed in the table on this page.

Enabling strong cipher suites involves upgrading all your Deep Security components to 12.0 or later. If this is not possible—for example, you're using operating systems for which a 12.0 agent is not available—see instead Use TLS 1.2 with Deep Security.

Step 1: Update Deep Security components

Step 2: Run a script to enable TLS 1.2 strong cipher suites

Step 3: Verify that the script worked

Disable TLS 1.2 strong cipher suites

Update Deep Security components

Make sure you update all components in the order listed below or else the agents will not be able to communicate with the relays and manager.

  1. Update all your manager instances to 12.0 or a later update. For upgrade instructions, Upgrade Deep Security Manager VM for Azure Marketplace.
  2. Update all your relays to 12.0 or later. To upgrade a relay, follow the same process as upgrading an agent:
    1. Import the latest relay software into the manager, either manually or automatically. See Upgrade the Deep Security Agent for details.
    2. Upgrade the relay:
  3. Update all your agents to 12.0 or later. To upgrade your agents:
    1. Import the latest agent software into the manager, either manually or automatically. See Upgrade the Deep Security Agent for details.
    2.  Upgrade your Deep Security Agents:

Run a script to enable TLS 1.2 strong cipher suites

  1. Copy the EnableStrongCiphers12.script file available at https://github.com/deep-security/ops-tools/tree/master/deepsecurity/manager to:
    • On Windows: <Manager_root>\Scripts
    • On Linux: <Manager_root>/Scripts

    where <Manager_root> is replaced with the path to your manager's installation directory, by default:

    • C:\Program Files\Trend Micro\Deep Security Manager (Windows)
    • /opt/dsm/ (Linux)

    If you do not see a \Scripts directory, create it.

  1. Log in to the manager.
  2. Click Administration at the top.
  3. On the left, click Scheduled Tasks.
  4. In the main pane, click New.
  5. The New Scheduled Task Wizard appears.
  6. From the Type drop-down list, select Run Script. Select Once Only. Click Next.
  7. Accept the date, time, and time zone defaults and click Next.
  8. For the Script, select EnableStrongCiphers.script. Click Next.
  9. For the Name, enter a name for the script, for example, Enable Strong Cipher Suites. Make sure Task Enabled is selected. Click Run Task on ‘Finish’. Click Finish.

    The script runs.

  10. Restart the Deep Security Manager service.

    Your agents, relays, and manager should now be communicating with each other using TLS 1.2 strong cipher suites exclusively.

Verify that the script worked

To verify that the script worked, and that only strong TLS 1.2 cipher suites are permitted, you must run a series of nmap commands.

Verify the manager using nmap

Run this command:

nmap --script ssl-enum-ciphers -p 4119 <Manager_FQDN>

The output should look similar to the following, with the strong cipher suites near the middle:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:51 EST

Nmap scan report for <DSM FQDN> (X.X.X.X)

Host is up (0.0049s latency).

PORT STATE SERVICE

4119/tcp open assuria-slm

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256k1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256k1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256k1) - A

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256k1) - A

| compressors:

| NULL

| cipher preference: client

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 6.82 seconds

Verify the relays using nmap

Run this command:

nmap --script ssl-enum-ciphers -p 4122 <Relay_FQDN>

The output should look similar to the following, again, with the strong cipher suites listed near the middle:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:49 EST

Nmap scan report for <DSR FQDN> (X.X.X.X)

Host is up (0.0045s latency).

PORT STATE SERVICE

4122/tcp open unknown

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

| compressors:

| NULL

| cipher preference: server

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 31.02 seconds

Verify the agents using nmap

Run this command:

nmap --script ssl-enum-ciphers -p 4118 <Agent_FQDN>

The output looks similar to the following:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:50 EST

Nmap scan report for <DSA FQDN> (X.X.X.X)

Host is up (0.0048s latency).

PORT STATE SERVICE

4118/tcp open netscript

| ssl-enum-ciphers:

| TLSv1.2:

| ciphers:

| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

| compressors:

| NULL

| cipher preference: server

|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.72 seconds

Disable TLS 1.2 strong cipher suites

If you mistakenly run the script before upgrading all of your agents, relays, or the manager, you can revert this action by doing the following:

  1. Open the configuration.properties file in <Manager_root>, and remove the line starting with ciphers. The line looks similar to the following:

    ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  2. Add the following values to the protocols field: TLSv1 and TLSv1.1. Your final property looks similar to this:

    protocols = TLSv1, TLSv1.1, TLSv1.2

  3. Save and close the file.
  4. Open the java.security file in <Manager_root>\jre\lib\security\ and remove the following two protocols from jdk.tls.disabledAlgorithms:

    TLSv1, TLSv1.1

  5. On Deep Security Manager, run the following dsm_c commands:

    dsm_c –action changesetting –name settings.configuration.restrictRelayMinimumTLSProtocol –value TLSv1

    dsm_c –action changesetting –name settings.configuration.enableStrongCiphers –value false

    Your system should now be able to communicate again. If you still need to enable TLS 1.2 strong cipher suites, make sure you have upgraded all components before running the script.

If you continue to experience communication problems with the Deep Security Manager, run this additional dsm_c command:

dsm_c –action changesetting –name settings.configuration.MinimumTLSProtocolNewNode –value TLSv1