Article ID: 81645
Article Type: Troubleshooting
Last Modified:
The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws, including:
An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.
Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so that these versions will be used only if the client or server supports nothing better), many web browsers implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE). Therefore, it is recommended that these protocols be disabled entirely.
NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong cryptography'.
The remote service encrypts traffic using a protocol with known weaknesses.
Commvault is able to use either TLS 1.0, 1.1, or 1.2. More on this can be found here: https://documentation.commvault.com/11.24/essential/87505_configuring_email_server.html
You may choose to disable the vulnerable versions 1.0 and 1.1. This is done on your Operating System.
Steps to disable TLS 1.0 and 1.1 : 1. Open the Windows registry editor.
2. Take the registry backup before making any changes and keep it in a safe location. Refer https://support.microsoft.com/en-us/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692#:~:text=Back%20up%20the%20registry%20manually,-From%20the%20Start&text=In%20Registry%20Editor%2C%20locate%20and,Click%20Save.
3. Once this is done, stop the Commvault service, Navigate to the location Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols in the registry, and look for the TLS 1.0 and TLS 1.1 and make the value of Enabled DWORD this to 0 to disable it.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client Name: Enabled Type: DWORD Data: 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client Name: Enabled Type: DWORD Data: 0
4. Reboot the server for the registry changes to take effect.
Additional Information: Further to this, you can configure the nForceTLSV12 by adding this additional setting to the Commserv level. Right-click on your Commserv for example in the Commcell console and select Properties, next to Additional Settings. This will enforce only TLS1.2 secure traffic over the network.
This is discussed in our community chat here: https://community.commvault.com/commvault-q-a-2/disable-ssl-and-tls-1-0-1-1-1898
Documentation on this can be found here: https://documentation.commvault.com/additionalsetting/details?name=%22nForceTLSV12%22&id=10887