logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: How to Update SSL Ciphers Used for Communication

EDR: How to Update SSL Ciphers Used for Communication

Environment

  • EDR Server: All Versions

Objective

Update the ssl ciphers used for communication on the server

Resolution

Important: Cipher Settings need to be on all nodes in a clustered instance. 
  1. Determine which Cipher suite you want the EDR server to accept. The default configuration receives an A+ score on ssllabs. 
    StrengthConfiguration in /etc/cb/cb.confCiphers Allowed
    Strongest (Default)UseIncreasedSecurityCiphers = true
    UseWeakCBCSecurityCiphers = false
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
    • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
    WeakerUseIncreasedSecurityCiphers = true
    UseWeakCBCSecurityCiphers = true    		Additional CBC Ciphers added to the above:
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
    • TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
    WeakestUseIncreasedSecurityCiphers = false
    UseWeakCBCSecurityCiphers = false    		Additional Ciphers to all the above:
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
    • TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
    • TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
  2. Enable the wanted configs on each node (clustered). 
  3. Restart cb-enterprise services to take affect

If the Ciphers you want enabled are not in the pre-built list, you will need to customize the template. Keep in mind, the endpoints need to have matching Cipher to complete the handshake. 
  1. Take a backup of the original template file 
    cp /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template.bkp
  2. Open to edit /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template, modifying line 2: ssl_ciphers
    • A colon (:) is used to separate each cipher suite
    •  An exclamation mark (!) is used in front of the cipher suites that need to be explicitly exclude
    • Example (please see Nginx documentation for more info): 
      ssl_ciphers TLSv1.2+FIPS@STRENGTH:EECDH+AESGCM:EDH+AESGCM;
  3. Edit /etc/cb.conf and add the following value anywhere in the file, this will tell the product to use the first ssl_cipher in the template you customized 
    UseIncreasedSecurityCiphers = false
  4. Restart cb-enterprise services: EDR: How to Restart Server Services

Additional Notes


Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-14-2020
Views:
3327
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.