Configuring BigFix TLS 1.2 to use Elliptic Curve Cryptography

fossl 2016-06-08 00:32:28 UTC #1

Does anyone know if there is a way to configure the TLS 1.2 security in BigFix 9.x to use Elliptic Curve Cryptography? Specifically I have a U.S. Government requirement to use the following suite

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 4289

Thanks,
Lou

strawgate 2016-06-08 01:26:34 UTC #2

Hello,

I don’t know that the suite for TLS is configurable.

I also am not sure i’ve ever seen a requirement to use an exact cryptographic method – normally a family or set of them are approved like FIPS Compliant, etc.

Can you share more about your set of requirements?

jgstew 2016-06-08 02:11:17 UTC #3

This is an interesting request and requirement.

I realize that you probably can’t just push back on the requirement, but I would say the following, which you may already know:

BigFix has additional security features to make it resistant to man in the middle attacks or attacks that modify the encrypted stream.

Also, I think if your endpoints are sending encrypted reports, that encryption is in addition to any SSL/TLS encryption that may be in place.

If it was possible to change this, it would likely have to be a client setting or something similar.

CC: @AlanM @gearoid

fossl 2016-06-08 11:00:27 UTC #4

US Government intelligence community and DoD entities, depending on the network, have a firm requirement to use the “Suite B” set of encryption algorithms and standards that include Elliptic Curve and Diffie Hellman algorithms.

I hope that this helps.

These algorithms are all available in OpenSSL. I was hoping that since BigFix used OpenSSL on its Linux server version it was just a matter of some reconfiguration of the server to enforce the suite B standards

Thanks,
Lou

jgstew 2016-06-09 01:06:56 UTC #5

BigFix uses OpenSSL on both Windows & Linux.

This is a question for someone from IBM to answer. I have CC’d them above.

fermt 2016-06-09 15:30:46 UTC #6

Maybe also @BigFixNinja could help on this question.

BigFixNinja 2016-06-09 23:16:42 UTC #7

I defer to @steve and @Aram

jgstew 2016-06-09 23:41:03 UTC #8

You may need to file an RFE for this if it isn’t supported in the product already.

If you do file an RFE, include a link to this forum post in the RFE and provide a link to the RFE in a reply to this forum post so that we can go vote on it.

fossl 2016-06-09 23:59:22 UTC #9

Yes… I did file an RFE for it.

https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=89707

Votes appreciated!!

Lou

Aram 2016-06-10 14:05:34 UTC #10

While there are some configuration options that allow for modifying the cipher suites leveraged by the platform, they are not currently so granular as to allow the use of a very specific cipher. This is certainly something we can explore, and if there’s interest, please do review and vote for the RFE.

jgstew 2016-06-10 20:02:37 UTC #11

Is it possible that the current configuration options would allow different sets of cipher suites to be excluded from use?

I wonder if enough could be excluded as to only include those that are acceptable in this case.

jgstew 2016-06-10 20:04:19 UTC #12

You should edit your RFE to include a link to this post if you still can.

I added a comment with a link to this post, but it is better if it is in the RFE itself.

fossl 2016-06-10 23:18:15 UTC #13

Thanks James… Unfortunately you can’t change the RFE after 24 hours… thanks for putting it in the comment.

ashutosh0001 2018-07-09 07:04:25 UTC #14

@fossl: You can configure TLS 1.2 in Bigfix 9.X via Bigfix Administrator tool>> Security >> Enable Enhanced Security

Enables or disables the enhanced security that adopts the SHA-256
cryptographic digest algorithm for all digital signatures as well as content
verification and the TLS 1.2 protocol for communications among the BigFix
components.

FDA 2020-07-21 10:52:24 UTC #15

I came across this old post and noticed taht the question is related to the TLS Diffie-Hellman (ECDHE) support. This requirement is going to be addressed in version 10 patch 1. Stay tuned !

ncpeteusa 2023-01-31 16:30:30 UTC #16

Any updates on this old post?

JasonWalker 2023-01-31 16:37:56 UTC #17

Sure…we did it …

https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_security_ciphers_lin.html

Edit: here’s the Windows link
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_security_ciphers.html