Relay Version 11 Issues

pcpeteusa 2023-09-14 15:03:20 UTC #1

Hello

I recently updated to version 11 on my windows BigFix server and relays. I am getting client log messages that the relay does not support secure registration. The clients are at version 10.0.8. We are not using that feature. WE are also not setting the TLS cipher list but in the relay log I see TLS Cipher List: HIGH:!ADH:!AECDH:!kDH:!kECDH:!kRSA:!PSK:!SRP:!SHA1 which I thought was odd. Checking the masthead file there are no ciphers defined and running the besadmin.exe/ securitysettings command nothing has been set.

Not sure why we are getting this error message. The clients that are getting this have been reporting in for a couple of years. This is new since the upgrade. Any help/ideas would be appreciated

dmccalla 2023-09-14 15:17:06 UTC #2

Did you happen to enforce TLS 1.3 via the BES Admin tool?

pcpeteusa 2023-09-14 15:21:11 UTC #3

No since we still have clients at 10.08 we haven’t enabled that feature

dmccalla 2023-09-14 15:25:49 UTC #4

Ok. You would see that message if you did but its not exclusive to enabling that. Just wanted to check that off the list. Are there any similar (e,g, RegisterOnce) log entries immediately after that one?

JasonWalker 2023-09-14 15:59:36 UTC #5

Enabling ‘Enhanced Security’ (disabling sha1 ciphers) was a prerequisite before upgrading to BigFix 11, in case the !SHA1 cipher disable is what surprised you - that’s the expected cipher list with BF 11.