Hi guys, we are in the midst of replacing our existing Bigfix server, database and TLRs with new hardware and during the compliance scan, it is flagged out that Bigfix is using TLS 1.0. The proposed solution is to enable Enhanced Security.
Would like to ask what is the impact if we turn on Enhanced Security? Will it cause a breakdown in communication between the new infra and existing SLRs.?
I had no issues during enabling of enhanced security. However, having a BigFix test installation would be useful.
Maybe the configuration hints from commcon criteria are also useful:
https://help.hcltechsw.com/bigfix/10.0/platform/commoncriteria.html
No it will not breakdown communication. When you enable Enhanced Security you will notice that your BigFix root server services are restarted to invoke this change. You will also see that your relays will continue to support TLS 1.0, 1.1 and 1.2. You can validate via this curl command which is built into Win10 build 17063 and later builds as an example:
curl --verbose -k https://bigfixrelay:52311/rd --tls-max 1.0
curl --verbose -k https://bigfixrelay:52311/rd --tls-max 1.1
curl --verbose -k https://bigfixrelay:52311/rd --tls-max 1.2
However if you restart the relay service, then you’ll see that the only acceptable protocol is TLS 1.2 and can validate with the above commands again. Once you invoke this change, you’ll need to schedule some maintenance on your relays to restart the relay service so that they only support TLS 1.2. Hopefully this provides you with the details that you need to disabled TLS 1.0 and 1.1.
By the way, if you need to enable TLS 1.2 on your Web Reports server, you can do so following this documentation: Customizing HTTPS on Web Reports
One caveat is that all clients and relays must be at least version 9.1. 9.0 and earlier clients did not support TLS 1.2 and cannot report to a deployment that has Enhanced Security enabled.