Enable TLS 1.2 strong cipher suites
Enabling strong cipher suites allows you to be certain that all of the communications to and from your Deep Security components are secure. If a malicious user were to create a connection to your system over a communications channel that uses weak cipher suites, this person could exploit the known weaknesses in these suites to put your system and information at risk.
This page describes how to update the Deep Security Manager, Deep Security Agent and Deep Security Relay so that they use the TLS 1.2 strong cipher suites. These cipher suites have an Advanced+ (A+) rating, and are listed in the table on this page.
Enabling strong cipher suites involves upgrading all your Deep Security components to 12.0 or later. If this is not possible—for example, you're using operating systems for which a 12.0 agent is not available—see instead Use TLS 1.2 with Deep Security.
Step 1: Update Deep Security components
Step 2: Run a script to enable TLS 1.2 strong cipher suites
Step 3: Verify that the script worked
Disable TLS 1.2 strong cipher suites
Update Deep Security components
Make sure you update all components in the order listed below or else the agents will not be able to communicate with the relays and manager.
- Update all your manager instances to 12.0 or a later update. For upgrade instructions, Upgrade Deep Security Manager VM for Azure Marketplace.
- Update all your relays to 12.0 or later. To upgrade a relay, follow the same process as upgrading an agent:
- Import the latest relay software into the manager, either manually or automatically. See Upgrade the Deep Security Agent for details.
- Upgrade the relay:
- To automatically upgrade a relay, see Initiate an agent upgrade.
- To manually upgrade a relay, see Manually upgrade the agent.
- Update all your agents to 12.0 or later. To upgrade your agents:
- Import the latest agent software into the manager, either manually or automatically. See Upgrade the Deep Security Agent for details.
- Upgrade your Deep Security Agents:
- To automatically upgrade an agent, see Initiate an agent upgrade.
- To manually upgrade an agent, see Manually upgrade the agent.
Run a script to enable TLS 1.2 strong cipher suites
- Copy the EnableStrongCiphers12.script file available at https://github.com/deep-security/ops-tools/tree/master/deepsecurity/manager to:
- On Windows: <Manager_root>\Scripts
- On Linux: <Manager_root>/Scripts
where <Manager_root> is replaced with the path to your manager's installation directory, by default:
- C:\Program Files\Trend Micro\Deep Security Manager (Windows)
- /opt/dsm/ (Linux)
If you do not see a \Scripts directory, create it.
- Log in to the manager.
- Click Administration at the top.
- On the left, click Scheduled Tasks.
- In the main pane, click New.
- The New Scheduled Task Wizard appears.
- From the Type drop-down list, select Run Script. Select Once Only. Click Next.
- Accept the date, time, and time zone defaults and click Next.
- For the Script, select EnableStrongCiphers.script. Click Next.
- For the Name, enter a name for the script, for example, Enable Strong Cipher Suites. Make sure Task Enabled is selected. Click Run Task on ‘Finish’. Click Finish.
The script runs.
- Restart the Deep Security Manager service.
Your agents, relays, and manager should now be communicating with each other using TLS 1.2 strong cipher suites exclusively.
Verify that the script worked
To verify that the script worked, and that only strong TLS 1.2 cipher suites are permitted, you must run a series of nmap commands.
Verify the manager using nmap
Run this command:
nmap --script ssl-enum-ciphers -p 4119 <Manager_FQDN>
The output should look similar to the following, with the strong cipher suites near the middle:
Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:51 EST
Nmap scan report for <DSM FQDN> (X.X.X.X)
Host is up (0.0049s latency).
PORT STATE SERVICE
4119/tcp open assuria-slm
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256k1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256k1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256k1) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 6.82 seconds
Verify the relays using nmap
Run this command:
nmap --script ssl-enum-ciphers -p 4122 <Relay_FQDN>
The output should look similar to the following, again, with the strong cipher suites listed near the middle:
Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:49 EST
Nmap scan report for <DSR FQDN> (X.X.X.X)
Host is up (0.0045s latency).
PORT STATE SERVICE
4122/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 31.02 seconds
Verify the agents using nmap
Run this command:
nmap --script ssl-enum-ciphers -p 4118 <Agent_FQDN>
The output looks similar to the following:
Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-14 09:50 EST
Nmap scan report for <DSA FQDN> (X.X.X.X)
Host is up (0.0048s latency).
PORT STATE SERVICE
4118/tcp open netscript
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 2.72 seconds
Disable TLS 1.2 strong cipher suites
If you mistakenly run the script before upgrading all of your agents, relays, or the manager, you can revert this action by doing the following:
- Open the configuration.properties file in <Manager_root>, and remove the line starting with ciphers. The line looks similar to the following:
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- Add the following values to the protocols field: TLSv1 and TLSv1.1. Your final property looks similar to this:
protocols = TLSv1, TLSv1.1, TLSv1.2
- Save and close the file.
- Open the java.security file in <Manager_root>\jre\lib\security\ and remove the following two protocols from jdk.tls.disabledAlgorithms:
TLSv1, TLSv1.1
- On Deep Security Manager, run the following dsm_c commands:
dsm_c –action changesetting –name settings.configuration.restrictRelayMinimumTLSProtocol –value TLSv1
dsm_c –action changesetting –name settings.configuration.enableStrongCiphers –value false
Your system should now be able to communicate again. If you still need to enable TLS 1.2 strong cipher suites, make sure you have upgraded all components before running the script.
If you continue to experience communication problems with the Deep Security Manager, run this additional dsm_c command:
dsm_c –action changesetting –name settings.configuration.MinimumTLSProtocolNewNode –value TLSv1