Does anyone know if there is a way to configure the TLS 1.2 security in BigFix 9.x to use Elliptic Curve Cryptography? Specifically I have a U.S. Government requirement to use the following suite
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 4289
Thanks,
Lou
Hello,
I don’t know that the suite for TLS is configurable.
I also am not sure i’ve ever seen a requirement to use an exact cryptographic method – normally a family or set of them are approved like FIPS Compliant, etc.
Can you share more about your set of requirements?
This is an interesting request and requirement.
I realize that you probably can’t just push back on the requirement, but I would say the following, which you may already know:
BigFix has additional security features to make it resistant to man in the middle attacks or attacks that modify the encrypted stream.
Also, I think if your endpoints are sending encrypted reports, that encryption is in addition to any SSL/TLS encryption that may be in place.
If it was possible to change this, it would likely have to be a client setting or something similar.
US Government intelligence community and DoD entities, depending on the network, have a firm requirement to use the “Suite B” set of encryption algorithms and standards that include Elliptic Curve and Diffie Hellman algorithms.
I hope that this helps.
These algorithms are all available in OpenSSL. I was hoping that since BigFix used OpenSSL on its Linux server version it was just a matter of some reconfiguration of the server to enforce the suite B standards
Thanks,
Lou
BigFix uses OpenSSL on both Windows & Linux.
This is a question for someone from IBM to answer. I have CC’d them above.
Maybe also @BigFixNinja could help on this question.
You may need to file an RFE for this if it isn’t supported in the product already.
If you do file an RFE, include a link to this forum post in the RFE and provide a link to the RFE in a reply to this forum post so that we can go vote on it.
Yes… I did file an RFE for it.
https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=89707
Votes appreciated!!
Lou
While there are some configuration options that allow for modifying the cipher suites leveraged by the platform, they are not currently so granular as to allow the use of a very specific cipher. This is certainly something we can explore, and if there’s interest, please do review and vote for the RFE.
Is it possible that the current configuration options would allow different sets of cipher suites to be excluded from use?
I wonder if enough could be excluded as to only include those that are acceptable in this case.
You should edit your RFE to include a link to this post if you still can.
I added a comment with a link to this post, but it is better if it is in the RFE itself.
Thanks James… Unfortunately you can’t change the RFE after 24 hours… thanks for putting it in the comment.
@fossl: You can configure TLS 1.2 in Bigfix 9.X via Bigfix Administrator tool>> Security >> Enable Enhanced Security
Enables or disables the enhanced security that adopts the SHA-256
cryptographic digest algorithm for all digital signatures as well as content
verification and the TLS 1.2 protocol for communications among the BigFix
components.
I came across this old post and noticed taht the question is related to the TLS Diffie-Hellman (ECDHE) support. This requirement is going to be addressed in version 10 patch 1. Stay tuned !
Any updates on this old post?
Sure…we did it …
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_security_ciphers_lin.html
Edit: here’s the Windows link
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_security_ciphers.html