Environment
- EDR Server: All Versions
- EDR Sensor: All Versions
- Operating System: All Types
Objective
How to determine matching Ciphers to complete the handshake between Sensor and Server
Resolution
EDR Server
Sensor/Endpoint
Additional Notes
- You need at least one Cipher suite to match in order to complete the TLS handshake. If they do not, you have two options
- On-Prem EDR defaults to an /etc/cb/cb.conf configurartion of 'UseIncreasedSecurityCiphers = true' and 'UseWeakCBCSecurityCiphers = false' which only has the following 5 ciphers enabled:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
- TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
- Hosted EDR uses the following cipher suites to accommodate endpoints on older OS's:
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
Related Content