If you run a vulnerability scan or otherwise detect that Transport Layer Security (TLS) 1.0 is enabled on your ePO server, we recommend upgrading to ePO 5.10 Update 11 or later. This advice applies to the following common flags on Nessus or Qualsys:

• Qualys QID-38628: SSL/TLS Server supports TLSv1.0. 
• Nessus PluginID 104743: TLS Version 1.0 Protocol Detection

The same applies if you run a scan or otherwise detect that ePO is using insecure static key ciphers.

Starting with ePO 5.10 Update 11, the TLS version 1.0 (RFC 2246) and 1.1 (RFC 4346) are disabled by default in ePO. Some RSA Static Key ciphers are removed from the cipher list. Communication between the Agent Handler and MA 4.8 requires TLS 1.0. Thus, disabling TLS 1.0 breaks the MA 4.8's ability to communicate with the Apache service on the ePO server and Agent Handlers.

MA 5.5.x and 5.0.x negotiate a static key cipher in their TLS handshake to ePO's Tomcat service on port 8443. Manual action can be taken to provision the agent using the maconfig command-line interface (CLI). The manual action only impacts the manual provisioning process, and doesn't apply to these agent versions' agent-to-server communication.

To successfully provision MA 5.5.x or 5.0.x manually using the maconfig CLI, you must edit the server.xml used by Tomcat, and add one other cipher.
If you want to allow MA 4.8 to communicate with the Apache service on an agent handler, you must enable TLS 1.0 and two static key ciphers. 

IMPORTANT:

• MA 4.8 is EOL and unsupported except when used on HP-UX, AIX, and Solaris operating systems.
  See the related article KB88098 - End of Life for Agent 4.8.x (Excluding HP-UX, AIX, and Solaris).
• MA 5.5.x and 5.0.x are also EOL, except MA 5.0.3, which is supported only on the POSReady 2009, Windows XP Embedded, and Windows Embedded Point of Service operating systems.
  See the related article KB91134 - End of Life for Agent 5.5.x, 5.0.x.
• DXL Brokers installed using OVA  or ISO, also known as the DXL Broker Appliance, have MA 5.5.1 bundled with them, and are impacted with this issue.
  • If you have a DXL Broker Appliance that's communicating with ePO, you can update the Agent on the appliance using a standard product deployment task. For details, see the MA/TA Installation Guide for guidance.
  • The following applies if you're setting up a new DXL Broker Appliance, or if you never successfully provisioned the Agent on your existing DXL Broker Appliance. You must follow the guidance in the section below titled "Enabling Agent 5.0.x - 5.5.x to be provisioned with ePO 5.10 Update 11 and later." This section uses the maconfig CLI to provision the agent on the DXL Broker Appliance.

MA 5.5.0 and later can be provisioned using the CLI, and communicate using TLS 1.2. It does so with the revised cipher suites included in ePO 5.10 Update 11.

Follow the instructions in the relevant section below for either of the following:

• To allow legacy agents to work with ePO 5.10 Update 11 or later
• If you need to disable TLS 1.0 and 1.1 for older versions of ePO, but can't upgrade to ePO 5.10 Update 11 or later  

Contents:
Click to expand the section you want to view:

Enable agent-to-server communication between MA 4.8 and ePO 5.10 Update 11 and later

These instructions must be followed on the ePO server and all remote agent handlers:

1. Log on to the ePO server.
2. Go to one of the folders below:
   
   32-bit: C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\
   
   64-bit: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\
    
3. Edit the file ssl.conf, and make the following change:
   
   Change SSLProtocol +TLSv1.2 to SSLProtocol all -SSLv3 -SSLv2
    
4. Search for SSLCipherSuite in the ssl.conf file, and replace the entire line with the content below:
   
   SSLCipherSuite DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA:AES128-SHA256:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
   
   IMPORTANT: Don't include any page breaks or extra characters.
    
5. Save the changes to the ssl.conf file.
6. Restart the Agent Handler (Apache Service).

Enable MA 5.0.x–5.5.x to be provisioned with ePO 5.10 Update 11 and later using the maconfig CLI

These instructions need to be followed on the ePO server; they don't apply to agent handlers:

1. Go to <ePO_installation_folder>\Server\conf
2. Create a backup of the server.xml file.
3. Edit the file server.xml and add the TLS_RSA_WITH_AES_128_CBC_SHA cipher to the list of ciphers allowed by the Connector element for the port you use to access the ePO console. By default, the port is 8443.
   1. Open the file server.xml.
   2. Within the Connector element for Port 8443, locate the section ciphers=.
   3. Add TLS_RSA_WITH_AES_128_CBC_SHA to the list, separating it from the other ciphers in the list with a comma and a space.
      
      Below is an example of what the entire set of ciphers in that XML element must look like, after the change on an ePO 5.10 update 11 server:
      
      ciphers="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA"
       
4. Save the server.xml file.
5. Restart the ePO Application Server service:
   1. Press Windows+R.
   2. Type services.msc into the field and press Enter. 
   3. Right-click the ePO service below, and select Restart:
       
      McAfee ePolicy Orchestrator 5.#.# Application Server 
       
   4. Close the services window later.

IMPORTANT: The Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA isn't supported with ePO 5.10 CU 11 and later.

Disable TLS 1.0 and 1.1 in ePO 5.10 Update 10 and earlier

The following workaround forces MA/TA 5.x agents to communicate using only TLS 1.2 with Agent Handlers (local and remote).

Local Agent Handler:

1. Log on to the ePO server.
2. Go to one of the folders below:
   
   32-bit: C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\
   64-bit: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\
    
3. Edit the file ssl.conf, and make the following change:
   
   Change SSLProtocol all -SSLv3 -SSLv2 to SSLProtocol +TLSv1.2
    
4. Restart the Agent Handler (Apache Service):
   1. Press Windows+R.
   2. Type services.msc into the field and press Enter. 
   3. Right-click the ePO service below, and select Restart:
       
      McAfee ePolicy Orchestrator 5.#.# Server 
       
   4. Close the services window.

Remote Agent Handler: Disabling TLS 1.0 and 1.1 for Tomcat
Use the instructions below to disable TLS 1.0 or TLS 1.1 for the ePO Application Server service (Tomcat). This service listens on port 8443 or 8444 by default.

1. Log on to the remote Agent Handler.
2. Go to one of the Agent Handler folders below:
   
   32-bit: C:\Program Files\McAfee\Agent Handler\Apache2\conf\
   64-bit: C:\Program Files (x86)\McAfee\Agent Handler\Apache2\conf\
    
3. Edit the file ssl.conf, and make the following change:
   
   Change SSLProtocol all -SSLv3 -SSLv2 to SSLProtocol +TLSv1.2
    
4. Restart the Agent Handler (Apache Service).
5. Go to <ePO_installation_folder>\Server\conf
6. Create a backup of the file server.xml.
7. Edit the file server.xml and update the sslProtocol and sslEnabledProtocols attributes for the specified Connector elements:
   1. Open the file server.xml.
   2. Within each Connector element, modify the sslProtocol and sslEnabledProtocols attributes as shown in the example below.
      
      NOTE: Perform the step for both the Tomcat listening ports 8443 and 8444.
      
      ePO 5.3 example:
      
      clientAuth="want" disableUploadTimeout="true"
      enableLookups="false" id="orion.server.https"
      keystoreFile="keystore/server.keystore"
      keystorePass="snowcap" maxHttpHeaderSize="8192"
      maxThreads="250" minSpareThreads="25" port="8443"
      scheme="https" secure="true" server="Undefined"
      sessionCacheSize="400" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
      
      NOTES:
      • To disable only TLS 1.0, and leave TLS 1.1 enabled, the sslEnabledProtocols entry would look similar to the entry below:
        
        sslEnabledProtocols="TLSv1.1,TLSv1.2"
         
      • If the sslEnabledProtocols attribute doesn't exist, add it immediately following the sslProtocol attribute. 
         
8. Restart the ePO Application Server service:
   1. Press Windows+R.
   2. Type services.msc into the field and press Enter. 
   3. Right-click the ePO service below, and select Restart:
       
      McAfee ePolicy Orchestrator 5.#.# Application Server 
       
   4. Close the services window.