I hadn’t heard about SCA import failures due to Patch 8, but for the other things, generally what changes in patch 9 makes them easier to resolve but still read the carefully the “Customizing HTTPS for downloads” link @adinia posted above.
The “Failed Downloads due to HTTPS Verification” is unfortunately an intended effect of hardening our HTTPS defaults to be more secure. If you are only downloading from public sites using publicly-trusted certificates, you should be able to upgrade to 10.0.9 without issue.
However if you are using any self-signed or internally-issued certificates for downloads, there are some configurations you’ll need to make. In most deployments this includes Inventory Catalog downloads (where the Root Server downloads a catalog from your BFI server, and the BFI server is using the default self-signed certificates or one issued internally by your org); or you host your own downloads on an internal web server; or you use a Proxy that inspects & rewrites the TLS session with its own certificates. In those cases, you’ll need to update your server’s Certificate Trust Store to include trusts for your certificates (to maintain the more secure TLS authentication), or set _BESRelay_Download_UntrustedSites
to 1
(to relax the new TLS authentication and behave like 10.0.7, ignoring the ‘untrusted certificate’ error and allowing the downloads to proceed.).
Adding your certificates to the certificate trust store is more secure and is preferred; disabling the TLS authentication disables the verification for all sites, and is similar to clicking “Connect anyway” to a browser’s dialog about untrusted certificates. Traditionally this didn’t much matter in a BigFix context, where we automatically validate the downloads’ hash values and can be assured that the download file is what we expected, but the TLS authentication is much more important when we consider some dynamic download options.