Environment
Objective
Update the ssl ciphers used for communication on the server
Resolution
Important: Cipher Settings need to be on all nodes in a clustered instance.
- Determine which Cipher suite you want the EDR server to accept. The default configuration receives an A+ score on ssllabs.
Strength | Configuration in /etc/cb/cb.conf | Ciphers Allowed |
---|
Strongest (Default) | UseIncreasedSecurityCiphers = true UseWeakCBCSecurityCiphers = false |
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
- TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
|
Weaker | UseIncreasedSecurityCiphers = true UseWeakCBCSecurityCiphers = true | Additional CBC Ciphers added to the above:
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
- TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
|
Weakest | UseIncreasedSecurityCiphers = false UseWeakCBCSecurityCiphers = false | Additional Ciphers to all the above:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
- TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
- TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
|
- Enable the wanted configs on each node (clustered).
- Restart cb-enterprise services to take affect
If the Ciphers you want enabled are not in the pre-built list, you will need to customize the template. Keep in mind, the endpoints need to have matching Cipher to complete the handshake.
- Take a backup of the original template file
cp /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template.bkp
- Open to edit /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template, modifying line 2: ssl_ciphers
- Edit /etc/cb.conf and add the following value anywhere in the file, this will tell the product to use the first ssl_cipher in the template you customized
UseIncreasedSecurityCiphers = false
- Restart cb-enterprise services: EDR: How to Restart Server Services
Additional Notes
Related Content