Ok I had to dig for that a bit myself.
From the Release Announcement at BigFix 11.0 - the latest and greatest BigFix release - available now!
I followed the link to V11 Overview
which has the note
After you have started upgrading to BigFix 11, even if your deployment is not all at Version 11 yet, you will get the following benefits:
- TLS handshakes will use SHA-384 certificates whenever they are available. After upgrading the BigFix Server to v11, SHA-384 certificates will be available to:
- All Agents/Relays at Version 11
- Agents and Relays at 10.0 patch 7 (or later patch) that have had their certificates refreshed, either automatically for expiration of the 13-month validity period, or manually with the “client certificate refresh” actionscript command (see Client certificate)
- All Agents and Relays installed after upgrading the BigFix Server to Version 11, regardless of their version.
- Content generated by MOs and NMOs like sites, Fixlets, analyses, actions, etc. will be signed with both SHA-256 and SHA-384. To validate such content, BigFix components at v11 will rely on both, while BigFix components at earlier versions will rely on the SHA-256 signature.
- The BigFix Server will validate external site content using either the SHA-256 or the SHA-384 signature.
- The BigFix Server will process Agent reports that are signed using either SHA-256 or SHA-384.
- BigFix Platform 11 will support both TLS 1.2 and TLS 1.3 (with TLS 1.3 being always the first attempted option), while it will no longer support TLS 1.1 or below in ANY scenario requiring HTTPS.
Note: Because of the above, BigFix Platform components at Version 11 will no longer be backward compatible with BigFix components at version 9.0 or lower.
In effect, 9.2 and 9.5 should still be good, but 9.0 or lower clients will not be able to communicate with an 11.x deployment. We dropped support for TLS 1.0 and 1.1 entirely.