Besadmin set cipher list

ncpeteusa 2023-03-06 18:59:51 UTC #1

Hello

Looking at the documentation at this link https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Installation/c_security_ciphers.html. When I run the /listtlscipher command on my 10.0.8 BigFix server I get a list of RSA ciphers and a list of non rsa ciphers. for example ECDHE-RSA-AES256-GCM-SHA386 and ECDHE-ECDSA-AES256-GCM-SHA386. Do I need to list each specific cipher that is displayed? What is I have older Windows boxes that may not support these do I brick the client? What about LINUX and UNIX, how would I know what ciphers they support?

Aram 2023-03-07 14:10:13 UTC #2

The /listTLSCiphers option displays the currently configured/allowed TLS ciphers for the given BigFix instance. You can of course adjust these per your requirements given the other options defined in the documentation link you referenced (though I’d suggest v10 documentation given that your server is v10.0.8 and in case there are differences here https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_security_ciphers.html)

By defining a more strict set of ciphers, it is certainly possible to prevent older Clients (that are not able to leverage the more strict set of ciphers) from communicating with the BigFix infrastructure. As such, it is very important to test changes (including against different Client platforms and versions that you have in the environment) ahead of wide ‘production’ roll-outs. It’s not that the Client would be ‘bricked’, but it will take manual intervention to get the Client to be able to communicate with the BigFix infrastructure once more (i.e. the Client’s masthead will have to be replaced with one that includes an allowed ciphers configuration that the Client is able to utilize).

ncpeteusa 2023-03-07 14:37:32 UTC #3

Thanks for replying. My main concern is testing. running the besadmin /setTLSCipherList command appears to me to be a enterprise wide change that can’t be targeted to a representative group of operating systems and client versions. Maybe I am missing something here. Does HCL provide any guidance?