Environment

• EDR Server: All Versions
• EDR Sensor: All Versions
• Operating System: All Types

Objective

Resolution

EDR Server

• With the cb-enterprise services running, run this command to find the enabled Ciphers for port 443

  nmap --script ssl-enum-ciphers -p 443 <serveripaddress>

Sensor/Endpoint

• Windows via Powershell

  Get-TlsCipherSuite | Format-Table Name

• Linux/macOS via Terminal

  /usr/bin/openssl ciphers -v | column -t
  

• Via PCAP capture with Wireshark: EDR: How to Get the Cipher Suite List Presented in Wireshark

Additional Notes

• You need at least one Cipher suite to match in order to complete the TLS handshake. If they do not, you have two options
  • Enable a matching cipher suite on the endpoints. How to do this may be different between OS version, please see OS documentation for how to enable a specific Cipher per your OS and Version
  • EDR: How to Update SSL Ciphers Used for Communication
• On-Prem EDR defaults to an /etc/cb/cb.conf configurartion of 'UseIncreasedSecurityCiphers = true' and 'UseWeakCBCSecurityCiphers = false' which only has the following 5 ciphers enabled:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
  • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• Hosted EDR uses the following cipher suites to accommodate endpoints on older OS's:
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384

Related Content